darkcomet | 44f187a4a6e8ef33b6134e65e3a281296d7abbb1b07937f825588d5c54349cd5

Analysis

max time kernel
148s
max time network
145s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21/03/2025, 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe
Size

798KB
MD5

832619868d13460e2eeb2c66faa414af
SHA1

4a8070c5b9afeb8b3847e83cbcec853b8c3ce0a5
SHA256

44f187a4a6e8ef33b6134e65e3a281296d7abbb1b07937f825588d5c54349cd5
SHA512

65c48b9ea134157442e1b338e49e1bb3366d460dc4658536aefb156738b8a2f11f2c6ef543b855394debbd0313686b07814390ec0d8c100e56968c1f7d4b867a
SSDEEP

24576:/FSCqW6666666ZVtJJi6pnYWRl0CO66aJMDb:z6666666ZVtJJi6pnYQ7fJyb

Score

10^/10

darkcomet new victim defense_evasion discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

New Victim

1zkiller.no-ip.org:1615

Mutex

DCMIN_MUTEX-3FWL7WF

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
Q5Fr9tPhokNo
install
true
offline_keylogger
true
persistence
false
reg_key
iDeactivater

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	vbc.exe

Executes dropped EXE 5 IoCs

pid	Process
2812	Deactivater.exe
2760	sched.exe
2604	ahekoha.exe
1748	IMDCSC.exe
1624	ahekoha.exe

Loads dropped DLL 6 IoCs

pid	Process
1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe
1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe
1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe
1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe
2760	sched.exe
2184	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Deactivater = "C:\\Users\\Admin\\AppData\\Roaming\\ahekoha.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\iDeactivater = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1176 set thread context of 2724	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	35
PID 2604 set thread context of 2184	2604	ahekoha.exe	50
PID 1624 set thread context of 308	1624	ahekoha.exe	60

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2184-115-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2184-118-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2184-120-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2184-121-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2184-122-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2184-123-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2184-131-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/308-172-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/308-171-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/308-170-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/308-174-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/308-173-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/308-176-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/308-178-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\ahekoha.exe:ZONE.identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sched.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ahekoha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ahekoha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deactivater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\ahekoha.exe:ZONE.identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2760	sched.exe
2760	sched.exe
2760	sched.exe
2760	sched.exe
2604	ahekoha.exe
2760	sched.exe
2760	sched.exe
2604	ahekoha.exe
2760	sched.exe
2760	sched.exe
2760	sched.exe
2760	sched.exe
1624	ahekoha.exe
2760	sched.exe
2760	sched.exe
1624	ahekoha.exe
2760	sched.exe
1624	ahekoha.exe
2760	sched.exe
2760	sched.exe
1624	ahekoha.exe
2760	sched.exe
2760	sched.exe
1624	ahekoha.exe
2760	sched.exe
1624	ahekoha.exe
2760	sched.exe
2760	sched.exe
1624	ahekoha.exe
2760	sched.exe
2760	sched.exe
1624	ahekoha.exe
2760	sched.exe
1624	ahekoha.exe
2760	sched.exe
2760	sched.exe
1624	ahekoha.exe
2760	sched.exe
2760	sched.exe
1624	ahekoha.exe
2760	sched.exe
1624	ahekoha.exe
2760	sched.exe
2760	sched.exe
1624	ahekoha.exe
2760	sched.exe
2760	sched.exe
1624	ahekoha.exe
2760	sched.exe
1624	ahekoha.exe
2760	sched.exe
2760	sched.exe
1624	ahekoha.exe
2760	sched.exe
2760	sched.exe
1624	ahekoha.exe
2760	sched.exe
1624	ahekoha.exe
2760	sched.exe
2760	sched.exe
1624	ahekoha.exe
2760	sched.exe
2760	sched.exe
1624	ahekoha.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe
Token: SeDebugPrivilege	2760	sched.exe
Token: SeDebugPrivilege	2604	ahekoha.exe
Token: SeIncreaseQuotaPrivilege	2184	vbc.exe
Token: SeSecurityPrivilege	2184	vbc.exe
Token: SeTakeOwnershipPrivilege	2184	vbc.exe
Token: SeLoadDriverPrivilege	2184	vbc.exe
Token: SeSystemProfilePrivilege	2184	vbc.exe
Token: SeSystemtimePrivilege	2184	vbc.exe
Token: SeProfSingleProcessPrivilege	2184	vbc.exe
Token: SeIncBasePriorityPrivilege	2184	vbc.exe
Token: SeCreatePagefilePrivilege	2184	vbc.exe
Token: SeBackupPrivilege	2184	vbc.exe
Token: SeRestorePrivilege	2184	vbc.exe
Token: SeShutdownPrivilege	2184	vbc.exe
Token: SeDebugPrivilege	2184	vbc.exe
Token: SeSystemEnvironmentPrivilege	2184	vbc.exe
Token: SeChangeNotifyPrivilege	2184	vbc.exe
Token: SeRemoteShutdownPrivilege	2184	vbc.exe
Token: SeUndockPrivilege	2184	vbc.exe
Token: SeManageVolumePrivilege	2184	vbc.exe
Token: SeImpersonatePrivilege	2184	vbc.exe
Token: SeCreateGlobalPrivilege	2184	vbc.exe
Token: 33	2184	vbc.exe
Token: 34	2184	vbc.exe
Token: 35	2184	vbc.exe
Token: SeDebugPrivilege	1624	ahekoha.exe
Token: SeIncreaseQuotaPrivilege	308	vbc.exe
Token: SeSecurityPrivilege	308	vbc.exe
Token: SeTakeOwnershipPrivilege	308	vbc.exe
Token: SeLoadDriverPrivilege	308	vbc.exe
Token: SeSystemProfilePrivilege	308	vbc.exe
Token: SeSystemtimePrivilege	308	vbc.exe
Token: SeProfSingleProcessPrivilege	308	vbc.exe
Token: SeIncBasePriorityPrivilege	308	vbc.exe
Token: SeCreatePagefilePrivilege	308	vbc.exe
Token: SeBackupPrivilege	308	vbc.exe
Token: SeRestorePrivilege	308	vbc.exe
Token: SeShutdownPrivilege	308	vbc.exe
Token: SeDebugPrivilege	308	vbc.exe
Token: SeSystemEnvironmentPrivilege	308	vbc.exe
Token: SeChangeNotifyPrivilege	308	vbc.exe
Token: SeRemoteShutdownPrivilege	308	vbc.exe
Token: SeUndockPrivilege	308	vbc.exe
Token: SeManageVolumePrivilege	308	vbc.exe
Token: SeImpersonatePrivilege	308	vbc.exe
Token: SeCreateGlobalPrivilege	308	vbc.exe
Token: 33	308	vbc.exe
Token: 34	308	vbc.exe
Token: 35	308	vbc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2724	vbc.exe
2812	Deactivater.exe
308	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 2772	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	29
PID 1176 wrote to memory of 2772	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	29
PID 1176 wrote to memory of 2772	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	29
PID 1176 wrote to memory of 2772	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	29
PID 2772 wrote to memory of 2188	2772	vbc.exe	31
PID 2772 wrote to memory of 2188	2772	vbc.exe	31
PID 2772 wrote to memory of 2188	2772	vbc.exe	31
PID 2772 wrote to memory of 2188	2772	vbc.exe	31
PID 1176 wrote to memory of 2964	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	32
PID 1176 wrote to memory of 2964	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	32
PID 1176 wrote to memory of 2964	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	32
PID 1176 wrote to memory of 2964	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	32
PID 2964 wrote to memory of 2956	2964	vbc.exe	34
PID 2964 wrote to memory of 2956	2964	vbc.exe	34
PID 2964 wrote to memory of 2956	2964	vbc.exe	34
PID 2964 wrote to memory of 2956	2964	vbc.exe	34
PID 1176 wrote to memory of 2724	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	35
PID 1176 wrote to memory of 2724	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	35
PID 1176 wrote to memory of 2724	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	35
PID 1176 wrote to memory of 2724	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	35
PID 1176 wrote to memory of 2724	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	35
PID 1176 wrote to memory of 2724	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	35
PID 1176 wrote to memory of 2724	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	35
PID 1176 wrote to memory of 2724	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	35
PID 1176 wrote to memory of 2724	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	35
PID 1176 wrote to memory of 2732	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	36
PID 1176 wrote to memory of 2732	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	36
PID 1176 wrote to memory of 2732	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	36
PID 1176 wrote to memory of 2732	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	36
PID 1176 wrote to memory of 2812	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	38
PID 1176 wrote to memory of 2812	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	38
PID 1176 wrote to memory of 2812	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	38
PID 1176 wrote to memory of 2812	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	38
PID 1176 wrote to memory of 2176	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	39
PID 1176 wrote to memory of 2176	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	39
PID 1176 wrote to memory of 2176	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	39
PID 1176 wrote to memory of 2176	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	39
PID 2176 wrote to memory of 1032	2176	vbc.exe	41
PID 2176 wrote to memory of 1032	2176	vbc.exe	41
PID 2176 wrote to memory of 1032	2176	vbc.exe	41
PID 2176 wrote to memory of 1032	2176	vbc.exe	41
PID 1176 wrote to memory of 2760	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	42
PID 1176 wrote to memory of 2760	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	42
PID 1176 wrote to memory of 2760	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	42
PID 1176 wrote to memory of 2760	1176	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	42
PID 2760 wrote to memory of 2604	2760	sched.exe	43
PID 2760 wrote to memory of 2604	2760	sched.exe	43
PID 2760 wrote to memory of 2604	2760	sched.exe	43
PID 2760 wrote to memory of 2604	2760	sched.exe	43
PID 2604 wrote to memory of 2676	2604	ahekoha.exe	44
PID 2604 wrote to memory of 2676	2604	ahekoha.exe	44
PID 2604 wrote to memory of 2676	2604	ahekoha.exe	44
PID 2604 wrote to memory of 2676	2604	ahekoha.exe	44
PID 2676 wrote to memory of 3028	2676	vbc.exe	46
PID 2676 wrote to memory of 3028	2676	vbc.exe	46
PID 2676 wrote to memory of 3028	2676	vbc.exe	46
PID 2676 wrote to memory of 3028	2676	vbc.exe	46
PID 2604 wrote to memory of 1628	2604	ahekoha.exe	47
PID 2604 wrote to memory of 1628	2604	ahekoha.exe	47
PID 2604 wrote to memory of 1628	2604	ahekoha.exe	47
PID 2604 wrote to memory of 1628	2604	ahekoha.exe	47
PID 1628 wrote to memory of 1920	1628	vbc.exe	49
PID 1628 wrote to memory of 1920	1628	vbc.exe	49
PID 1628 wrote to memory of 1920	1628	vbc.exe	49

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_axzhj8e.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2859.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2848.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2188
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\snxg0khy.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29FE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc29FD.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2956
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2724
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:2732
- C:\Users\Admin\AppData\Roaming\Deactivater.exe
  "C:\Users\Admin\AppData\Roaming\Deactivater.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\osyabc7z.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D8E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3D8D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1032
- C:\Users\Admin\AppData\Roaming\sched.exe
  "C:\Users\Admin\AppData\Roaming\sched.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Roaming\ahekoha.exe
    "C:\Users\Admin\AppData\Roaming\ahekoha.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\izdpggma.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4387.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4376.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0spw4hwg.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES44FD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc44FC.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      Modifies WinLogon for persistence
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2184
    - - C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
        
        "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1748
- - C:\Users\Admin\AppData\Roaming\ahekoha.exe
    "C:\Users\Admin\AppData\Roaming\ahekoha.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hjvn__mv.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2600
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70ED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc70EC.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4jnbeda8.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1968
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES71E6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc71D6.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0spw4hwg.cmdline

Filesize
317B

MD5
4b2c09b2cb4fd0dda77b2a409d9a4bc1

SHA1
99955945004aece88751fa4f211e5e5dc3ac6a35

SHA256
be0c4c60405595c45600c4302403b6d73c82e7abc8c31325862e24eafe457b4d

SHA512
f2ef8b16c76f2e70ae590cfbf9e13be91659f1c4da9c4cc746ce4ad256d7e56648055f9a61dd13c9751894e0b6ad0b6e0c366b206925dfaac467f0772f31ff01

Download Submit
C:\Users\Admin\AppData\Local\Temp\0spw4hwg.dll

Filesize
6KB

MD5
359858a40839b2738ec02fedfc2aaeda

SHA1
1d2ce525bd9fac0daa437c4c4f215afac55ff9da

SHA256
56798568aee3944fdaf25f13a9c2c9cf3802572e8e8d2d309b68ab49057132a6

SHA512
3cb325aaa66b76232b6bd6cc1af9e60750cce85155479b9962fbb0504493b9fc302cd250ee0d5a6ffebc41b8d4818670ca0645b913aae99730e1dae9ad03788b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4jnbeda8.cmdline

Filesize
317B

MD5
9937cbfc0c94106e5a3f855ee7f2cfb8

SHA1
ff304bc20eecfab5dd6db6dddc39642792bc36a8

SHA256
d1233ede6ac7cb5cad835640eeda928f29dd1576e15e78b0bceb32b7233a9be4

SHA512
e6169dd51cd42b2e081611e1b745b1135768fd037922f08f2444aa9b8ed8993de6e681f97d98bbd63f90271ca1f063a2759805d46d08946a6e9eead6498d64bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4jnbeda8.dll

Filesize
6KB

MD5
727b96d78a0655b9651b1094f3b8f66d

SHA1
e8d1edf47a50fc8a3863e144ac5dc7d465ea7aa7

SHA256
9e3a4d97818e3d61bada2b9c7f35914769b0dc2a60b2bea2145caf399aa13e1b

SHA512
2ec3641684e46096957836e103efdfbb95695200e00b98f871a98c5bd76b483dd7ae567aca5227fa9440bec7624fa557fe4172e1765ec247b1451b002f98bd9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2859.tmp

Filesize
1KB

MD5
1441424e176a9b9ac98b178ab675f98a

SHA1
90ad805f679e26e5b2e91082daea4e49f144f1b2

SHA256
453500765cccff065f308943282be5e2adb8ca631422bcfcda4e666e7b2e4556

SHA512
9bc794eb14cad44dec6233e1489bec4f2165ddcaea6a8d499fb248561f553d6fb1d8a9a9ee274105522b0971077085877bad185c66c0d506dcb28426d0c88aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES29FE.tmp

Filesize
1KB

MD5
653e919764745313b6c07b11dbc7614b

SHA1
2db5404761b4fc822033029656c28705eec829d5

SHA256
3d338fdac8be07c9ab2ffc99710ebddcde88e0867254bd0a745bac89ce249481

SHA512
04f3caae0e9ab9e7c85e0f5c550d5ab34d743c0436b597d893a72babda98fbbc65b552f7590669bd945aa068601c9e1d796d3576d9da1ec0c5347dbfe0c0436d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3D8E.tmp

Filesize
1KB

MD5
6729a4ee865510191f31adcffca4c026

SHA1
90e2a8bc069c681665af220daca2b2b038fe4f05

SHA256
ef081dc23c8d420f97d048c3614d1c362ab6255c7ee61aebf99d68d62eab24ef

SHA512
6e524f2fb4a6878dc0be0773726803bf66cae77d25d48fb7f302d6db6f9b3f41b3f30a6660e952fad5ceb9e860cb882306e250007896fc1aaac4626a88e29b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4387.tmp

Filesize
1KB

MD5
48d433957aabe0a0528b060d9d3673d9

SHA1
3191bcac37da7e1f42e0410f601ee4f6534dc912

SHA256
548802832a48bddf57f206b0332b466ff87e963a648d8fa2c71b9f8050551140

SHA512
80a41d9a4e6caf618e0e0e6d124d6995115c6023bcfc7043a26176db34f68bf4cea94eeac2ea9c824b83c03d828949b9ba2b5a927ad00ce7be7e56b7bcdef8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES44FD.tmp

Filesize
1KB

MD5
79633165671c5db1ad49c1bb362cf836

SHA1
c216e22972aa3ccf14e52479247b214ab27ac48c

SHA256
bec4406435af7981ef468a5181ce0120aaccebaf91d421af368798f2c28b2720

SHA512
70a42fa06e6960488ff7a9115a1a742abbb6c7d5d74d7d08b3247ce232887dfbbd79ad8dfc5f623c17abbb361c967e102006bb4282f89bc69c8795b87cee57ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES70ED.tmp

Filesize
1KB

MD5
887d866a26916c5a893bf933ef298ab7

SHA1
e337518e7070deeeae122860715f5f068ddda23f

SHA256
1f1b2db22cb5223efdea02613b214de3d793a5c94f5e41ca8a0f283e9675e25d

SHA512
83a1d78959303a6d1318721afadd51d097100a190bccb3f8815df08a11b9629e2e33cc26636953408c83a6078065da15aee54dccfe3c3187e043c9f39b64f80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES71E6.tmp

Filesize
1KB

MD5
a9fbecdf433bd69cd207de3c44a1a8bf

SHA1
8c0a3430665b993a15226e7f958aee6f975f3c88

SHA256
61c03b2c9126477dce366b2adf1e3f145069d421b081b7e74cf73cf50fb0b061

SHA512
ae895c3a847f07d630dd18b220c48b506c5d04c31b83d45868b3411bc336c8ec30ed1594a1ded312396f7c920a1cf59139e9c512c239e9f9088e827db440be4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_axzhj8e.0.vb

Filesize
254B

MD5
36757aabf0e4f39dfa4e7d0e2c0506fd

SHA1
3bebb1de5f217019420de8336b66b8768502cb41

SHA256
97b2b1e8c82404ea0cce8951b9a9dc503d3057c53d1734a18a5140061a5087df

SHA512
67abe6724460d9b9bf55f88230ca05f692cce346266486b73504bd1369aa814b0e1424a0572bdd0d48621bcb01a652ea757beb2ae5544ba9db2c790fed6d35b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_axzhj8e.cmdline

Filesize
317B

MD5
26c9583ee23c26f496797e432c12a736

SHA1
3c5c5b0f0079215eba58414ddbbdfc0eb039589c

SHA256
6fefd984358a6eaf1cb2e180dc265236a773cd8fbb95bb0206db121e36dc0654

SHA512
0d4d5d2cdfc75fb97da98ec6d1ee939bd402191000b055d1ff15e3c0daecb30a43ae4dbd1eefee492311086f92c7c2a7598de50d56ac104f0b373b2dc5a8e55e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_axzhj8e.dll

Filesize
6KB

MD5
df78cac5db5031155acb2f0cb6925790

SHA1
e9636eb1f63e323e223a0e60cfb13b195f1ee676

SHA256
eed5472f560aa82142f64ab2d5a30743952fd581cba8da4089654c681d2b2bce

SHA512
8f0c08f37384746fe4bed2637090b5443c05f610ec50352fc809345c6319c0b3e2b66e827250de764d4dabaecc8e2a8f4450c59a4835dac782fca91e497f0b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\hjvn__mv.cmdline

Filesize
317B

MD5
66f3afc6c73f81863c6367f239eb649b

SHA1
ddf27db863eb1a2571f48965a2c830709412eb8d

SHA256
844b84d418e6107fba7b0af0a966d2d7a6691e1da6588d1843750a77ba5f12c5

SHA512
60645699819f6f6082f05a5db6a99ade09718971450a3d7ce2aefe76426fc5c977c388380852985930312f74b99db6656982e5f386ee7e295fc084402b08a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hjvn__mv.dll

Filesize
6KB

MD5
a5935f0db08426dc0d68d97872d3425e

SHA1
362d3620f1d7e0b125ed3a251c67142b49ee8e37

SHA256
69d44f8b7342c411cc23bf1e0d6a523bea8ca65cfe0c06fb8cd0f9743c70cd22

SHA512
d40bb7ff415e0e2b923a8cb92306581a878e09937ddd56ea9322394136c91b04da92a5dce3ea9bc3598fe2af6819844b23e68c8482fd7bff08709c3b508575a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\izdpggma.cmdline

Filesize
317B

MD5
5b0d6d034a36ea9070edc956fc067876

SHA1
b2e3916d9076e736fa47e9fc3af59e34deb651de

SHA256
0b78c243841c045cef4e65eebca11a6c995ea3846008604fe0ba68c455b15293

SHA512
bc3eeab6cccec04586133df129bcc5aea042f1df137fe106e334968fc05ed6d4a819c419754b60418ac24b85049b48b83bee2589407e4cd5b2977d7c1f889904

Download Submit
C:\Users\Admin\AppData\Local\Temp\izdpggma.dll

Filesize
6KB

MD5
794b272bfa270389274ba6541f64ecc7

SHA1
13277ddfc6ff56428c2171527ef728b974e2fd9c

SHA256
25f5ac570abd0bea46bcb0d3ea1339665f27051d2c4df84d8600b708d195cc7c

SHA512
2cbb7310f6afde4cc6f5c30933652801ba7471f8f200a167ae9af8667a2d97a21a92fae46ddc09adb9ce69662f2ae476e26cf34db4101b2c0f81856983c62fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\osyabc7z.0.vb

Filesize
1KB

MD5
aa8f299f2292f19411be583574b7f34c

SHA1
ad10a8a3fff62ba0dd1195518e36c65944c26c80

SHA256
5a89ce04715e40822f5def2d739c07ff04a9d01033b2e184d00c4389a4f2e784

SHA512
2484224545198913029b80d5dc6f2d63f874b5549b6006708e222c34b5b645881a27f5cfc400c1ffb2e5f23dc99f94d21e48c5c6a68561058dacba74da8e66f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\osyabc7z.cmdline

Filesize
246B

MD5
76ac78d51f52f7f12fa90a909fe5da2a

SHA1
3c8720a59689749eea009896e7bc5a85f446e0c0

SHA256
b15542eb7c162233caa873bd01ac78f260d798bc422be25d6cd08c5f632e27c5

SHA512
a7fe18ca7ad62bcf797fc6b19ee744565e92084efbd297810b238f1971982332704098d80ace935c516c1b0a2cc71163e684a438122839c66c8c00ea77b8771e

Download Submit
C:\Users\Admin\AppData\Local\Temp\snxg0khy.cmdline

Filesize
317B

MD5
112a9828d058b80abaca97d81f206aa5

SHA1
8ea7b707c3b9d579a6f5551728fbc3a9644e47b1

SHA256
3416bed45259256387285ce0eda290e9a2cd6c57a92986328e543978873d6ab8

SHA512
da9c5eaf1c066497fa64a3ee3dbf9ac13003e777d5344dd994cd4e05d25ddf29ec3adbbdcdc557c09ba20c2af4c245f21997074678e143c161ddda67dcc36bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\snxg0khy.dll

Filesize
6KB

MD5
fb2bbeb5638dcb265cb4e66730bef22d

SHA1
5c046e30728150506656f5b5b2d6d3cb3ffea5d2

SHA256
b5839a6373dfa04bf4310d294327d0b1117dd2d5bfcaeb1d65925c0bdf919cbe

SHA512
320db90a249dc5d4e22e2cd9fccd96b20ec246eb9ac4824c7b184cbc0c3a17ad8461bf5d534393b1c5d7789f5685e4dcaf7ab4ead5fa9ebe6c7e0d324b58284f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2848.tmp

Filesize
652B

MD5
586530c4d3f93fb2b13aa84c5094369d

SHA1
288ca28b49813400eeaeb8a1433f7ed1f930ff1b

SHA256
a5f37844a70eea21e0bc7bf3d4fa175c90363d629e532c991397c6abef601fde

SHA512
622fce60c3cb4a536bf2a5397b43be1e4e4bfd27055a1aae1499559a828e838fa8f7797e5c09e6563d9c80e1301904f79a3c746ef984f358b2706c1b506006c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc29FD.tmp

Filesize
652B

MD5
a2487cb34ff536b6e93312a34cd1e7f0

SHA1
6f581866e714643aee464d125d03bc9f0ec51193

SHA256
d7b7dff1711b441adce5af156a6d9595627ef8d97a20c78e3a7e0be477edaa7f

SHA512
3cd21e1ba63f65c5dfcc91427e0d8ec36a724112a611c51df654cef8935f06fa439cdab5a3d4a6d792e036968903b17732b30bd051b20f84922de21d00b081ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3D8D.tmp

Filesize
636B

MD5
f73dd8c3998022e28684a9ff8b6dafe5

SHA1
274fd1667a970aefd378ddfcd25cf10ee61548cf

SHA256
d4b241d51342cccbc69b85060f8ee58081236fa8a2f1d2abe1b1683e3330ae25

SHA512
a17772caa084153eeca5cd85849b2bb009609e5e535de3a066c43c888bffad6fa1a07a31f52a3d48a57009c1ec948d9a2cf392cda008a65e21c6ede0c0376a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4376.tmp

Filesize
652B

MD5
b192f401f1eac05dd660ef7d6cc3efab

SHA1
06594c45336ce1682e05a6bd4accf1c5c340c12d

SHA256
1c99d572340f1ef61314516266d85c8658573158b4c7e1b879861f75a447a332

SHA512
ead794d003aeb18fe7f6b7ac6123ca765dcb9b88a8eac65c0bcd35653a4bf6978adae7737a849eabacf547f1aded9ea347f9301cd7622eb69d9014c07370d6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc44FC.tmp

Filesize
652B

MD5
bfcdabbe246480341daa948da0dc8548

SHA1
2fc060a26f0d011c044375078bca8cea2823eb7c

SHA256
7ea423218ee1b5746d68faf89fea0dfbac2ea8a255ffe1be78f69024e7554f3b

SHA512
ac07a4901de16d1498b795c858f1d93d5d2003ba0d5fe248dfe65658508c6aedaa60927b18af1678c002f8de4b11132a7684524693ce3ef13ed1dbe772b399b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc70EC.tmp

Filesize
652B

MD5
e0596636f1bda9348fe6c68a100b3039

SHA1
65a0d16f9372c2558a2f576b7823ac727b3daa06

SHA256
554f1f9d44db1491511913763459c2da1dd9d92c9f780f5339ff98da475ca18a

SHA512
6856da861c1d72e3a543c81e2fd34d33aec89887a2f50c8b23a7cc779df1ac371295c7780feef8f7db7929e000e77590b7572fb07965a50aff23e31521df78aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc71D6.tmp

Filesize
652B

MD5
b84d476006b05467b590817cd006b7a4

SHA1
f781ab0de54d42968cbf9ac9cf45ba608336b3f8

SHA256
5a466757914d46db77405a412692b855ae18ac07626e7a9444bd4e4171daf5d6

SHA512
ab1376470fe6f99023e95912f0774f4275df0d4e70295349a3655dc983e32bd86fd4f17793f8e49e63f5b8553089643026b32ce1fbb89fe1d7a713041f2749e8

Download Submit
C:\Users\Admin\AppData\Roaming\Deactivater.exe

Filesize
184KB

MD5
e0e5846962a8942d9ac873f2e952cc05

SHA1
49a9c6f2864de2232787e1e1d4d9de31e7f4a1dc

SHA256
52e200398835957eaca7eaa6ec3ce6fed2bddf4288511e6048b4dd8ca1205034

SHA512
8777886b25e97da85bbadd29f7914b115b4dbe2f2759cb989cbc3dc9a02516316dcede65e50f72d3b02c2f205b721010a4e2d461c2b8ddf2f0fb158351258af3

Download Submit
C:\Users\Admin\AppData\Roaming\ahekoha.exe

Filesize
798KB

MD5
832619868d13460e2eeb2c66faa414af

SHA1
4a8070c5b9afeb8b3847e83cbcec853b8c3ce0a5

SHA256
44f187a4a6e8ef33b6134e65e3a281296d7abbb1b07937f825588d5c54349cd5

SHA512
65c48b9ea134157442e1b338e49e1bb3366d460dc4658536aefb156738b8a2f11f2c6ef543b855394debbd0313686b07814390ec0d8c100e56968c1f7d4b867a

Download Submit
C:\Users\Admin\AppData\Roaming\ahekoha.exe:ZONE.identifier

Filesize
27B

MD5
130a75a932a2fe57bfea6a65b88da8f6

SHA1
b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

SHA256
f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

SHA512
6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

Download Submit
C:\Users\Admin\AppData\Roaming\fp.txt

Filesize
106B

MD5
d1bd75efa76d7dc5f21704e38dd5eaae

SHA1
6f90aa514e42ac10618de8085dc0a499f64bdbed

SHA256
6740cd18df26978f235a08558b69f95925b964d9d05a1bb300e11a8ce3d8669b

SHA512
cd012eb0c34f14a95c82090a0d37db2d7ae9d51730de02ddb6dde2c8144ac5f8cada26f116cdf8826bdc0313b48eb48e3d3beb425d85ae32e64feafb1fffb19e

Download Submit
\Users\Admin\AppData\Roaming\sched.exe

Filesize
7KB

MD5
3d533e0704a787bec4612edebd844934

SHA1
52955c37ca474003a2a4e54d2914d81cad3e5493

SHA256
3a5dc1edea159edc871e686d2ad5e0c088a6b93d4fc2464a488b2de36b8af16e

SHA512
2021c38a8e42ab4598941d9cd9296582a1a3fa1ffb18cfa63235d3e5d47a9df1abb17e57bbc0269c7f61f83efcee934de7f6e5e91f8427b2680796c04699c7fa

Download Submit
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/308-172-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/308-171-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/308-178-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/308-170-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/308-176-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/308-174-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/308-173-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1176-81-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/1176-2-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/1176-1-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/1176-0-0x0000000074AE1000-0x0000000074AE2000-memory.dmp

Filesize
4KB

Download
memory/2184-122-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2184-131-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2184-123-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2184-121-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2184-120-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2184-118-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2184-115-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2184-113-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2724-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2724-44-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2724-43-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2724-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2724-38-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2724-36-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2724-34-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2772-16-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/2772-7-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download