File name:

msdcsc.exe

Full analysis: https://app.any.run/tasks/e09d8efd-cfdf-4a12-ac90-1e818fde3df9
Verdict: Malicious activity
Threats:

DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.

Malware Trends Tracker     >>>
Analysis date: April 23, 2026, 12:36:28
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
darkcomet
rat
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 9 sections
MD5:

02B0CA7A20A0A519AEBC21C04C77ED68

SHA1:

4AB214955569E8C6215505BE00A08C242D37D47C

SHA256:

CA43B69AEECD6D78B0D80E8EA38EC2988C03152758FBFF87B0A422EC26B99DE3

SSDEEP:

12288:m6/k564R2MsyHJGfN02XWDvQi4vGbN5Io1dxdffGslkqLznI9DkkwdA:m6/l4R2MsypGj9GH3ffGWkmYkkwdA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • msdcsc.exe (PID: 7776)

    • Changes the login/logoff helper path in the registry

      • msdcsc.exe (PID: 7776)

    • DARKCOMET mutex has been found

      • msdcsc.exe (PID: 3380)

    • DARKCOMET has been detected (YARA)

      • msdcsc.exe (PID: 7776)
      • msdcsc.exe (PID: 3380)

  • SUSPICIOUS

    • There is functionality for communication over UDP network (YARA)

      • msdcsc.exe (PID: 7776)
      • msdcsc.exe (PID: 3380)

    • Executable content was dropped or overwritten

      • msdcsc.exe (PID: 7776)

  • INFO

    • The sample compiled with english language support

      • msdcsc.exe (PID: 7776)

    • Checks supported languages

      • msdcsc.exe (PID: 7776)
      • msdcsc.exe (PID: 3380)

    • Reads the computer name

      • msdcsc.exe (PID: 7776)
      • msdcsc.exe (PID: 3380)

    • Launching a file from a Registry key

      • msdcsc.exe (PID: 7776)

    • Manual execution by a user

      • msdcsc.exe (PID: 3380)

    • There is functionality for taking screenshot (YARA)

      • msdcsc.exe (PID: 7776)
      • msdcsc.exe (PID: 3380)

    • Compiled with Borland Delphi (YARA)

      • msdcsc.exe (PID: 7776)
      • msdcsc.exe (PID: 3380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (37.4)
.scr | Windows screen saver (34.5)
.exe | Win32 Executable (generic) (11.9)
.exe | Win16/32 Executable Delphi generic (5.4)
.exe | Generic Win/DOS Executable (5.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:06:07 15:59:53+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 586752
InitializedDataSize: 186880
UninitializedDataSize: -
EntryPoint: 0x8f888
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.0.0.0
ProductVersionNumber: 4.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: Remote Service Application
CompanyName: Microsoft Corp.
FileDescription: Remote Service Application
FileVersion: 1, 0, 0, 1
InternalName: MSRSAAPP
LegalCopyright: Copyright (C) 1999
OriginalFileName: MSRSAAP.EXE
ProductName: Remote Service Application
ProductVersion: 4, 0, 0, 0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #DARKCOMET msdcsc.exe slui.exe #DARKCOMET msdcsc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2840C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3380C:\Users\admin\Documents\MSDCSC\msdcsc.exeC:\Users\admin\Documents\MSDCSC\msdcsc.exe
explorer.exe
User:
admin
Company:
Microsoft Corp.
Integrity Level:
MEDIUM
Description:
Remote Service Application
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\documents\msdcsc\msdcsc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
7776"C:\Users\admin\Desktop\msdcsc.exe" C:\Users\admin\Desktop\msdcsc.exe
explorer.exe
User:
admin
Company:
Microsoft Corp.
Integrity Level:
MEDIUM
Description:
Remote Service Application
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\desktop\msdcsc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
4 081
Read events
4 078
Write events
3
Delete events
0

Modification events

(PID) Process:(7776) msdcsc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicroUpdate
Value:
C:\Users\admin\Documents\MSDCSC\msdcsc.exe
(PID) Process:(7776) msdcsc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:UserInit
Value:
C:\Windows\system32\userinit.exe,C:\Users\admin\Documents\MSDCSC\msdcsc.exe
(PID) Process:(2840) slui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%SystemRoot%\System32\sppcomapi.dll,-3200
Value:
Software Licensing
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7776msdcsc.exeC:\Users\admin\Documents\MSDCSC\msdcsc.exeexecutable
MD5:02B0CA7A20A0A519AEBC21C04C77ED68
SHA256:CA43B69AEECD6D78B0D80E8EA38EC2988C03152758FBFF87B0A422EC26B99DE3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
52
TCP/UDP connections
41
DNS requests
19
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5276
MoUsoCoreWorker.exe
GET
304
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
5228
SIHClient.exe
GET
304
20.165.94.63:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5484
svchost.exe
GET
200
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.3758&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4
US
text
3.41 Kb
whitelisted
2840
slui.exe
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
2840
slui.exe
POST
500
48.192.1.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
5316
svchost.exe
POST
200
20.190.160.22:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
whitelisted
POST
400
20.190.160.22:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
204 b
whitelisted
5316
svchost.exe
POST
400
20.190.159.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
204 b
whitelisted
POST
400
20.190.160.22:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
5484
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7304
slui.exe
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.16.241.214:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
5484
svchost.exe
23.216.77.36:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5484
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5208
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
www.bing.com
  • 2.16.241.214
  • 2.16.241.223
  • 2.16.241.222
  • 2.16.241.219
  • 2.16.241.209
  • 2.16.241.215
  • 2.16.241.212
  • 2.16.241.217
  • 2.16.241.200
whitelisted
google.com
  • 142.251.20.139
  • 142.251.20.102
  • 142.251.20.138
  • 142.251.20.113
  • 142.251.20.100
  • 142.251.20.101
whitelisted
crl.microsoft.com
  • 23.216.77.36
  • 23.216.77.20
  • 23.216.77.6
  • 23.53.41.90
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 23.52.181.212
whitelisted
kvb.it.com
  • 104.21.10.177
  • 172.67.146.40
unknown
login.live.com
  • 20.190.159.2
  • 20.190.159.130
  • 20.190.159.0
  • 40.126.31.0
  • 40.126.31.131
  • 40.126.31.128
  • 20.190.159.4
  • 20.190.159.128
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 20.165.94.63
whitelisted

Threats

PID
Process
Class
Message
5484
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
msdcsc.exe