File name:

Windows 10.exe

Full analysis: https://app.any.run/tasks/714f2300-6348-43b3-b52b-9e707547b39f
Verdict: Malicious activity
Threats:

DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.

Malware Trends Tracker     >>>
Analysis date: July 12, 2024, 13:51:39
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
darkcomet
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

BE096F2DFAA99372B5029B4F5501DA73

SHA1:

BFA354D91DBCD8672B0F02546C3F61A24818EA6F

SHA256:

4EF2C0E780973DE90816D5F8BF0B289EE29A1995FDF23ED7A9CA359BFED0BDBE

SSDEEP:

12288:m6/k564R2MsyHJGfN02XWDvQi4vGbN5Io1dxdffGslkqLznIAn:m6/l4R2MsypGj9GH3ffGWkmt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the login/logoff helper path in the registry

      • Windows 10.exe (PID: 2276)

    • Drops the executable file immediately after the start

      • Windows 10.exe (PID: 2276)

    • Changes the autorun value in the registry

      • Windows 10.exe (PID: 2276)

    • DARKCOMET has been detected (YARA)

      • IMDCSC.exe (PID: 3228)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Windows 10.exe (PID: 2276)

    • Starts itself from another location

      • Windows 10.exe (PID: 2276)

    • Reads security settings of Internet Explorer

      • Windows 10.exe (PID: 2276)

    • Reads the date of Windows installation

      • Windows 10.exe (PID: 2276)

    • There is functionality for taking screenshot (YARA)

      • IMDCSC.exe (PID: 3228)

    • There is functionality for communication over UDP network (YARA)

      • IMDCSC.exe (PID: 3228)

    • Connects to unusual port

      • IMDCSC.exe (PID: 3228)

  • INFO

    • Checks supported languages

      • Windows 10.exe (PID: 2276)
      • IMDCSC.exe (PID: 3228)

    • Reads the computer name

      • Windows 10.exe (PID: 2276)
      • IMDCSC.exe (PID: 3228)

    • Process checks computer location settings

      • Windows 10.exe (PID: 2276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (31.9)
.scr | Windows screen saver (29.4)
.dll | Win32 Dynamic Link Library (generic) (14.8)
.exe | Win32 Executable (generic) (10.1)
.exe | Win16/32 Executable Delphi generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:06:07 15:59:53+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 586752
InitializedDataSize: 86528
UninitializedDataSize: -
EntryPoint: 0x8f888
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.0.0.0
ProductVersionNumber: 4.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: Remote Service Application
CompanyName: Microsoft Corp.
FileDescription: Remote Service Application
FileVersion: 1, 0, 0, 1
InternalName: MSRSAAPP
LegalCopyright: Copyright (C) 1999
OriginalFileName: MSRSAAP.EXE
ProductName: Remote Service Application
ProductVersion: 4, 0, 0, 0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start windows 10.exe THREAT imdcsc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2276"C:\Users\admin\AppData\Local\Temp\Windows 10.exe" C:\Users\admin\AppData\Local\Temp\Windows 10.exe
explorer.exe
User:
admin
Company:
Microsoft Corp.
Integrity Level:
MEDIUM
Description:
Remote Service Application
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\appdata\local\temp\windows 10.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
3228"C:\Users\admin\Documents\DCSCMIN\IMDCSC.exe" C:\Users\admin\Documents\DCSCMIN\IMDCSC.exe
Windows 10.exe
User:
admin
Company:
Microsoft Corp.
Integrity Level:
MEDIUM
Description:
Remote Service Application
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\documents\dcscmin\imdcsc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
1 681
Read events
1 671
Write events
10
Delete events
0

Modification events

(PID) Process:(2276) Windows 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:DarkComet RAT
Value:
C:\Users\admin\Documents\DCSCMIN\IMDCSC.exe
(PID) Process:(2276) Windows 10.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:UserInit
Value:
C:\Windows\system32\userinit.exe,C:\Users\admin\Documents\DCSCMIN\IMDCSC.exe
(PID) Process:(2276) Windows 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2276) Windows 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2276) Windows 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2276) Windows 10.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2276Windows 10.exeC:\Users\admin\Documents\DCSCMIN\IMDCSC.exeexecutable
MD5:BE096F2DFAA99372B5029B4F5501DA73
SHA256:4EF2C0E780973DE90816D5F8BF0B289EE29A1995FDF23ED7A9CA359BFED0BDBE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
47
DNS requests
13
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2248
MoUsoCoreWorker.exe
GET
200
2.16.164.66:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2248
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3716
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6188
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4032
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
2056
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3868
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2248
MoUsoCoreWorker.exe
2.16.164.66:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
2248
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6004
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3228
IMDCSC.exe
147.185.221.21:9265
lists-ukraine.gl.at.ply.gg
PLAYIT-GG
US
malicious
4656
SearchApp.exe
104.126.37.130:443
www.bing.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.164.66
  • 2.16.164.107
  • 2.16.164.106
  • 2.16.164.9
  • 2.16.164.98
  • 2.16.164.51
  • 2.16.164.73
  • 2.16.164.129
  • 2.16.164.25
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
google.com
  • 142.250.184.206
whitelisted
lists-ukraine.gl.at.ply.gg
  • 147.185.221.21
unknown
www.bing.com
  • 104.126.37.130
  • 104.126.37.139
  • 104.126.37.152
  • 104.126.37.186
  • 104.126.37.144
  • 104.126.37.146
  • 104.126.37.137
  • 104.126.37.131
  • 104.126.37.123
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.71
  • 20.190.159.0
  • 40.126.31.71
  • 20.190.159.64
  • 20.190.159.2
  • 20.190.159.75
  • 20.190.159.23
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.21
whitelisted

Threats

PID
Process
Class
Message
2168
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Windows 10.exe