darkcomet | 44f187a4a6e8ef33b6134e65e3a281296d7abbb1b07937f825588d5c54349cd5

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
21/03/2025, 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe
Size

798KB
MD5

832619868d13460e2eeb2c66faa414af
SHA1

4a8070c5b9afeb8b3847e83cbcec853b8c3ce0a5
SHA256

44f187a4a6e8ef33b6134e65e3a281296d7abbb1b07937f825588d5c54349cd5
SHA512

65c48b9ea134157442e1b338e49e1bb3366d460dc4658536aefb156738b8a2f11f2c6ef543b855394debbd0313686b07814390ec0d8c100e56968c1f7d4b867a
SSDEEP

24576:/FSCqW6666666ZVtJJi6pnYWRl0CO66aJMDb:z6666666ZVtJJi6pnYQ7fJyb

Score

10^/10

darkcomet new victim defense_evasion discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

New Victim

1zkiller.no-ip.org:1615

Mutex

DCMIN_MUTEX-3FWL7WF

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
Q5Fr9tPhokNo
install
true
offline_keylogger
true
persistence
false
reg_key
iDeactivater

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	vbc.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	sched.exe

Executes dropped EXE 5 IoCs

pid	Process
2708	Deactivater.exe
2624	sched.exe
4364	ahekoha.exe
4744	IMDCSC.exe
5156	ahekoha.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Deactivater = "C:\\Users\\Admin\\AppData\\Roaming\\ahekoha.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iDeactivater = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5152 set thread context of 4640	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	94
PID 4364 set thread context of 2128	4364	ahekoha.exe	109
PID 5156 set thread context of 4256	5156	ahekoha.exe	119

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2128-109-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2128-110-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2128-111-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2128-123-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4256-157-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4256-158-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4256-159-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4256-160-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4256-161-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4256-163-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4256-165-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\ahekoha.exe:ZONE.identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deactivater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sched.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ahekoha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ahekoha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\ahekoha.exe:ZONE.identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2624	sched.exe
2624	sched.exe
2624	sched.exe
2624	sched.exe
4364	ahekoha.exe
2624	sched.exe
2624	sched.exe
4364	ahekoha.exe
2624	sched.exe
2624	sched.exe
2624	sched.exe
2624	sched.exe
5156	ahekoha.exe
2624	sched.exe
2624	sched.exe
5156	ahekoha.exe
2624	sched.exe
5156	ahekoha.exe
2624	sched.exe
2624	sched.exe
5156	ahekoha.exe
2624	sched.exe
2624	sched.exe
5156	ahekoha.exe
2624	sched.exe
5156	ahekoha.exe
2624	sched.exe
2624	sched.exe
5156	ahekoha.exe
2624	sched.exe
2624	sched.exe
5156	ahekoha.exe
2624	sched.exe
5156	ahekoha.exe
2624	sched.exe
2624	sched.exe
5156	ahekoha.exe
2624	sched.exe
5156	ahekoha.exe
2624	sched.exe
2624	sched.exe
5156	ahekoha.exe
2624	sched.exe
2624	sched.exe
5156	ahekoha.exe
2624	sched.exe
5156	ahekoha.exe
2624	sched.exe
2624	sched.exe
5156	ahekoha.exe
2624	sched.exe
2624	sched.exe
5156	ahekoha.exe
2624	sched.exe
5156	ahekoha.exe
2624	sched.exe
2624	sched.exe
5156	ahekoha.exe
2624	sched.exe
2624	sched.exe
5156	ahekoha.exe
2624	sched.exe
5156	ahekoha.exe
2624	sched.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe
Token: SeDebugPrivilege	2624	sched.exe
Token: SeDebugPrivilege	4364	ahekoha.exe
Token: SeIncreaseQuotaPrivilege	2128	vbc.exe
Token: SeSecurityPrivilege	2128	vbc.exe
Token: SeTakeOwnershipPrivilege	2128	vbc.exe
Token: SeLoadDriverPrivilege	2128	vbc.exe
Token: SeSystemProfilePrivilege	2128	vbc.exe
Token: SeSystemtimePrivilege	2128	vbc.exe
Token: SeProfSingleProcessPrivilege	2128	vbc.exe
Token: SeIncBasePriorityPrivilege	2128	vbc.exe
Token: SeCreatePagefilePrivilege	2128	vbc.exe
Token: SeBackupPrivilege	2128	vbc.exe
Token: SeRestorePrivilege	2128	vbc.exe
Token: SeShutdownPrivilege	2128	vbc.exe
Token: SeDebugPrivilege	2128	vbc.exe
Token: SeSystemEnvironmentPrivilege	2128	vbc.exe
Token: SeChangeNotifyPrivilege	2128	vbc.exe
Token: SeRemoteShutdownPrivilege	2128	vbc.exe
Token: SeUndockPrivilege	2128	vbc.exe
Token: SeManageVolumePrivilege	2128	vbc.exe
Token: SeImpersonatePrivilege	2128	vbc.exe
Token: SeCreateGlobalPrivilege	2128	vbc.exe
Token: 33	2128	vbc.exe
Token: 34	2128	vbc.exe
Token: 35	2128	vbc.exe
Token: 36	2128	vbc.exe
Token: SeDebugPrivilege	5156	ahekoha.exe
Token: SeIncreaseQuotaPrivilege	4256	vbc.exe
Token: SeSecurityPrivilege	4256	vbc.exe
Token: SeTakeOwnershipPrivilege	4256	vbc.exe
Token: SeLoadDriverPrivilege	4256	vbc.exe
Token: SeSystemProfilePrivilege	4256	vbc.exe
Token: SeSystemtimePrivilege	4256	vbc.exe
Token: SeProfSingleProcessPrivilege	4256	vbc.exe
Token: SeIncBasePriorityPrivilege	4256	vbc.exe
Token: SeCreatePagefilePrivilege	4256	vbc.exe
Token: SeBackupPrivilege	4256	vbc.exe
Token: SeRestorePrivilege	4256	vbc.exe
Token: SeShutdownPrivilege	4256	vbc.exe
Token: SeDebugPrivilege	4256	vbc.exe
Token: SeSystemEnvironmentPrivilege	4256	vbc.exe
Token: SeChangeNotifyPrivilege	4256	vbc.exe
Token: SeRemoteShutdownPrivilege	4256	vbc.exe
Token: SeUndockPrivilege	4256	vbc.exe
Token: SeManageVolumePrivilege	4256	vbc.exe
Token: SeImpersonatePrivilege	4256	vbc.exe
Token: SeCreateGlobalPrivilege	4256	vbc.exe
Token: 33	4256	vbc.exe
Token: 34	4256	vbc.exe
Token: 35	4256	vbc.exe
Token: 36	4256	vbc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4640	vbc.exe
2708	Deactivater.exe
4256	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5152 wrote to memory of 6028	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	88
PID 5152 wrote to memory of 6028	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	88
PID 5152 wrote to memory of 6028	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	88
PID 6028 wrote to memory of 6092	6028	vbc.exe	90
PID 6028 wrote to memory of 6092	6028	vbc.exe	90
PID 6028 wrote to memory of 6092	6028	vbc.exe	90
PID 5152 wrote to memory of 960	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	91
PID 5152 wrote to memory of 960	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	91
PID 5152 wrote to memory of 960	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	91
PID 960 wrote to memory of 2516	960	vbc.exe	93
PID 960 wrote to memory of 2516	960	vbc.exe	93
PID 960 wrote to memory of 2516	960	vbc.exe	93
PID 5152 wrote to memory of 4640	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	94
PID 5152 wrote to memory of 4640	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	94
PID 5152 wrote to memory of 4640	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	94
PID 5152 wrote to memory of 4640	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	94
PID 5152 wrote to memory of 4640	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	94
PID 5152 wrote to memory of 4640	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	94
PID 5152 wrote to memory of 4640	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	94
PID 5152 wrote to memory of 4640	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	94
PID 5152 wrote to memory of 1092	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	95
PID 5152 wrote to memory of 1092	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	95
PID 5152 wrote to memory of 1092	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	95
PID 5152 wrote to memory of 2708	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	97
PID 5152 wrote to memory of 2708	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	97
PID 5152 wrote to memory of 2708	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	97
PID 5152 wrote to memory of 5216	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	98
PID 5152 wrote to memory of 5216	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	98
PID 5152 wrote to memory of 5216	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	98
PID 5216 wrote to memory of 1380	5216	vbc.exe	100
PID 5216 wrote to memory of 1380	5216	vbc.exe	100
PID 5216 wrote to memory of 1380	5216	vbc.exe	100
PID 5152 wrote to memory of 2624	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	101
PID 5152 wrote to memory of 2624	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	101
PID 5152 wrote to memory of 2624	5152	JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe	101
PID 2624 wrote to memory of 4364	2624	sched.exe	102
PID 2624 wrote to memory of 4364	2624	sched.exe	102
PID 2624 wrote to memory of 4364	2624	sched.exe	102
PID 4364 wrote to memory of 4764	4364	ahekoha.exe	103
PID 4364 wrote to memory of 4764	4364	ahekoha.exe	103
PID 4364 wrote to memory of 4764	4364	ahekoha.exe	103
PID 4764 wrote to memory of 544	4764	vbc.exe	105
PID 4764 wrote to memory of 544	4764	vbc.exe	105
PID 4764 wrote to memory of 544	4764	vbc.exe	105
PID 4364 wrote to memory of 2332	4364	ahekoha.exe	106
PID 4364 wrote to memory of 2332	4364	ahekoha.exe	106
PID 4364 wrote to memory of 2332	4364	ahekoha.exe	106
PID 2332 wrote to memory of 3676	2332	vbc.exe	108
PID 2332 wrote to memory of 3676	2332	vbc.exe	108
PID 2332 wrote to memory of 3676	2332	vbc.exe	108
PID 4364 wrote to memory of 2128	4364	ahekoha.exe	109
PID 4364 wrote to memory of 2128	4364	ahekoha.exe	109
PID 4364 wrote to memory of 2128	4364	ahekoha.exe	109
PID 4364 wrote to memory of 2128	4364	ahekoha.exe	109
PID 4364 wrote to memory of 2128	4364	ahekoha.exe	109
PID 4364 wrote to memory of 2128	4364	ahekoha.exe	109
PID 4364 wrote to memory of 2128	4364	ahekoha.exe	109
PID 4364 wrote to memory of 2128	4364	ahekoha.exe	109
PID 2128 wrote to memory of 4744	2128	vbc.exe	110
PID 2128 wrote to memory of 4744	2128	vbc.exe	110
PID 2128 wrote to memory of 4744	2128	vbc.exe	110
PID 2624 wrote to memory of 5156	2624	sched.exe	112
PID 2624 wrote to memory of 5156	2624	sched.exe	112
PID 2624 wrote to memory of 5156	2624	sched.exe	112

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_832619868d13460e2eeb2c66faa414af.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5152
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9-fusige.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6028
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7ADD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7F57CBE0E6D045D08C775BD6E78F5F29.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6092
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\im8okiy3.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C83.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE94CCB758FF94E80B19B4C97964CF729.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2516
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4640
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:1092
- C:\Users\Admin\AppData\Roaming\Deactivater.exe
  "C:\Users\Admin\AppData\Roaming\Deactivater.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ee5uepfy.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5216
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8FBD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc13D7768E3D0F45B1B59E4213AB246673.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1380
- C:\Users\Admin\AppData\Roaming\sched.exe
  "C:\Users\Admin\AppData\Roaming\sched.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Users\Admin\AppData\Roaming\ahekoha.exe
    "C:\Users\Admin\AppData\Roaming\ahekoha.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vg0z9yhz.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4764
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES948F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc269234B91746407F8A9CA16042B2744.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:544
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gs39l8qe.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95A8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8182C01CA84F45B7B4B450FCC7B8EEC.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3676
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
        
        "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4744
- - C:\Users\Admin\AppData\Roaming\ahekoha.exe
    "C:\Users\Admin\AppData\Roaming\ahekoha.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5156
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w36aaxxt.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3724
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC321.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC521FB8BE994EBBADB29993B3FA81F9.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5852
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-uwthbmz.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:648
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3AE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB7479328DA0D453EB5B22468C379B357.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3168
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\ahekoha.exe.log

Filesize
499B

MD5
8f0924703442a13ccb290f990d7e2075

SHA1
1138619ac1ca90e96884dbf8835479c8e60b169d

SHA256
0139e948d71e20b98d24ef4f04be7555e94bd0e90321e7ec745d09593228c28f

SHA512
44cb3c3605d3d0f4aaafd2d06569cdef982e8817e1b8d996bf282890fc5a47e33f4df2dbb4b6fbbe15afa05237dff4b397048543841fa8e2ff4baf8085bc8b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\-uwthbmz.cmdline

Filesize
317B

MD5
b60ab39cc1c00b8db226ccf49ee5ff8e

SHA1
dc8672b70af9d8c5275e60d9f255a7c7dc2f9702

SHA256
ba0104d6566eef3696e5e9d0319299662c8cc6fdc90f4069695913d4a3888853

SHA512
4c2a15448e7df81bfb53d5f57391494703a2cfd60691a0ada534b48d2aaee7378324eb2202c6a8967169e8390091906d42b8bac6a877a4c838e61cdbca538adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\-uwthbmz.dll

Filesize
6KB

MD5
447e6218662166bb6cd2bd6c7c317ee3

SHA1
863002a9532101ea9e63c8d40feac06048e5c5f1

SHA256
bac5da53db4117359dc1df9ca83407b20beb1101cf2c40fefa6c63c8dd79f5b4

SHA512
6e2f5a870c0599f32a342a96a9c2099fc25fb964ec58b41cea19ecc196c9b19e20b95a3615e9a6e897351f452c54c3dc781c499b7a5233f70505b79f1c6d1665

Download Submit
C:\Users\Admin\AppData\Local\Temp\9-fusige.0.vb

Filesize
254B

MD5
36757aabf0e4f39dfa4e7d0e2c0506fd

SHA1
3bebb1de5f217019420de8336b66b8768502cb41

SHA256
97b2b1e8c82404ea0cce8951b9a9dc503d3057c53d1734a18a5140061a5087df

SHA512
67abe6724460d9b9bf55f88230ca05f692cce346266486b73504bd1369aa814b0e1424a0572bdd0d48621bcb01a652ea757beb2ae5544ba9db2c790fed6d35b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9-fusige.cmdline

Filesize
317B

MD5
acad8d6b8a2cdd72fcad129e623b21b9

SHA1
56e0e4b0e99ffd0d4c9efdb647319f0e9b99a6c7

SHA256
308acab057a1a15f45f7d2db7cc612745c7411c20e64d275cb9a65808f59215e

SHA512
436f0dfca7ae93156b885496732673a9fd704a76a1cc1f2e68fa3eb6a8415f3209ddf2c2fdd3bc456817f776c8c1a38ede02675a3caf5a4f80d586b810ab005c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9-fusige.dll

Filesize
6KB

MD5
3ba079edd9ec79b5ebd3bf2a3d5018d0

SHA1
5c68686421ebdc42801eb1c324ca4dfcabc9e065

SHA256
d724b0eb3bbd7675ede34269f83183afd8b026046d48e7d8be88d63b581975ba

SHA512
c99ef205cf5b307e687453a433ba2d916b4304fbe80bd02dc642fb20382f9b7367fb05b9483aa16aa842c3f0f32d2ee3f12a0ead8e47522999210af2f50f2ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7ADD.tmp

Filesize
1KB

MD5
2f779a68b6b2200c8c1b5bac7b2b1d49

SHA1
b36d5f30881467b4084a741d900a2f1cae59a939

SHA256
37af5def76a06af52cfc05cbc73030c6c3786ae31b61e216e9b40b8225abb352

SHA512
1328ebd9df0ab7b83d772e98433631f8605ea5bb92bec74d38b4c3bc74dcbea3814cf36e4017ca6bcc16d31bad7c2615646fe99a504a42d7f0a795373fd339cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7C83.tmp

Filesize
1KB

MD5
31677308ce8b01c6ad514d45d03efe43

SHA1
a22644991d6d51e1ad51001e6cf271a63253ea6a

SHA256
86c3b7932cc73209bd2d14cf9ee279193c007c8f3f88bb99b0e8e7be2967108c

SHA512
fb93cff607856f00131cacf01e606e8307830879ba63d5a345fbbcc856c5969fafbf970305ab59507e0cfd9b12e4c675f4da7c5a95cac3814d99033241aec745

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8FBD.tmp

Filesize
1KB

MD5
0046674f44a279f58a7dae62c3908f5c

SHA1
77b41c8b564240122ba1a1f30f53fc1c01115cf6

SHA256
18acffb5e315d3302f1ac2f379975d3615172f5ac1d2372f784bb53cb5bd4428

SHA512
1add1d8d506b64a0ef4078aefa029b60e107681d839a52b2e45738e81386c0c2589b8e2452717ef6a181943e68912576abaf8435d85a83c646db8123a8b62af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES948F.tmp

Filesize
1KB

MD5
7497607ccf73c48365edd681c730b647

SHA1
8e004ef627a21fc618dd7562c441e57ae78d6437

SHA256
8053a94e01cbf1d0095dbf88109b7221df157d714b4ed013ef8291c1d36e85c7

SHA512
d9f581cf476b180766ee0d2378b2e1f8143fbe6b6ac4272b9eb61f0ce66c630a061d054099592fbdf2613ca060e01266a89f2ac4310ec09e114f092c70ed36db

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES95A8.tmp

Filesize
1KB

MD5
00b16bf0b67a45b2ae098ffe25505cf7

SHA1
c8489eded89ca9ccbc8c259dde00af50bd7d1079

SHA256
533ea78dffc746f3eae6247fbfefe6f90fa9da37b490f795207defe31ac1b79d

SHA512
1b37030e7a09c54bf2389ab9cefe08d68e6049bdaf4858d095b63757ff5b23c6e4bc9551e1173d6a5083d1d1e344a0fc016d10817759a30f9c3787da0560cea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC321.tmp

Filesize
1KB

MD5
db16cf3506b0ac6ec9b40519c9703f6d

SHA1
368446f9d5d33f12ff88e6240fb7d1ad9f1c44fd

SHA256
37fd149e667a4a4203f00548f63f12442f94df6fc30864b79f9ceb0a3de1613e

SHA512
208096d892a58b7820851afe6491c3e2cab060be9638a27f2b9551a96980ff99cdf5403fcf41176dc0ce1ca9e12201e7914e50876c64d00847402df04eff4e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC3AE.tmp

Filesize
1KB

MD5
6e2d792ccc322bc109d9496ea5ac17ce

SHA1
fdb85483b82a43223e4b694b668d3b649308682f

SHA256
cfa4d5530f6e4a46368a3f0396ef8d472729b4631278a3c153d4af4372af1d52

SHA512
dc4b803f447f8e29c88615e28ac0f0d3594c2d2fbacd52570650aaccf5f924928e70f074d9dc1a226d5c43f8115cd454bcd3d91ba0f3cddcab1dd8e2f6e2651d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee5uepfy.0.vb

Filesize
1KB

MD5
aa8f299f2292f19411be583574b7f34c

SHA1
ad10a8a3fff62ba0dd1195518e36c65944c26c80

SHA256
5a89ce04715e40822f5def2d739c07ff04a9d01033b2e184d00c4389a4f2e784

SHA512
2484224545198913029b80d5dc6f2d63f874b5549b6006708e222c34b5b645881a27f5cfc400c1ffb2e5f23dc99f94d21e48c5c6a68561058dacba74da8e66f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee5uepfy.cmdline

Filesize
246B

MD5
34e46aedc4bdc0c63d76efbb87a9b992

SHA1
bbfd703f369edd51bd4acf1068c86c5763e8e9a7

SHA256
0897295cbe6a0208f56691b4106d066ebff76f98f7f8ec4dc9c9994198628565

SHA512
3fdd246ce89e68c8b1b8f1203dbbfdfbd1dd489c244615e6ee0c82a2caf296865e0d6c80b67e4d362dce8bca1ccb0524c4e6140c9a79a45e29f149481aa8f2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gs39l8qe.cmdline

Filesize
317B

MD5
fdfa8b0aa896bf9c26676b427b656750

SHA1
6cbf6695b93ccdd9bf959144a07608a46c24bb37

SHA256
e72ac55dae771a043b5c17bc16d198f10b45b02548037e5ba015f2bdb7b67aa3

SHA512
5eed295a28a60413796a137ade82782cc76fdd2aefe4b1e257f0064d0a11cf8863207a66c1381aa9c1129be017112d403af6dd5d732fb5c9482358bcc06b2f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\gs39l8qe.dll

Filesize
6KB

MD5
20ee52479b4b34c7159fbcf413848539

SHA1
8519199fac42b8f6164e39b7d7caa466995799d1

SHA256
5ca3890ade21f0d742a99e150c886202e0df933fbf13d8e38888c8263dc94349

SHA512
1083fa1512fc73d3cc673c14ef909f3d2eb6c0832a1521879a0630fc32283f3cfb45d5e5513807275b46a043a7cae0cdb66e0188225981bb1d265a05ca0e206f

Download Submit
C:\Users\Admin\AppData\Local\Temp\im8okiy3.cmdline

Filesize
317B

MD5
0d1f1ddfbab6dcb1c90ff796747f446d

SHA1
8c8608075697229251ee9a1c82ea4808cd88df48

SHA256
78f5246af0f4249b89e4e0f0aac215b191f1a5cad5826236a5b13e999361f8f8

SHA512
35bd3905bcdbf7fc43236aae67489554083ee170f14a8fafc4166546880583afba6c21ac4bf46220aa88270ec348058c0c34bee810b87a05e77abfc98199e41f

Download Submit
C:\Users\Admin\AppData\Local\Temp\im8okiy3.dll

Filesize
6KB

MD5
d08b15dde76a6962e8d11723f61f5078

SHA1
6ef47ca97ec72bb31a281879aa232012f565b208

SHA256
f266d4ce13834b2277d953d537e1e309ffdf6b815c1e304f29a35712441ba498

SHA512
1558217c0869ea6e91dbfd5498f1ce7674e2f3f6aed4c6551bd0efd5797958b3b7337fcef641536b4206cac98017ecca5cb8f744319084f9bf4101b9a9cc39b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc13D7768E3D0F45B1B59E4213AB246673.TMP

Filesize
636B

MD5
f73dd8c3998022e28684a9ff8b6dafe5

SHA1
274fd1667a970aefd378ddfcd25cf10ee61548cf

SHA256
d4b241d51342cccbc69b85060f8ee58081236fa8a2f1d2abe1b1683e3330ae25

SHA512
a17772caa084153eeca5cd85849b2bb009609e5e535de3a066c43c888bffad6fa1a07a31f52a3d48a57009c1ec948d9a2cf392cda008a65e21c6ede0c0376a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc269234B91746407F8A9CA16042B2744.TMP

Filesize
652B

MD5
39926f3b7383c1e0bcfc13a26e859e85

SHA1
b3e76c12dacc8123310d9d403c611dfbdd755e4e

SHA256
0c72492798e3065ffecef69b685b928567ec3124cc5f7cc2d118ecc695cbefb0

SHA512
28598c4d454f3785b31658a0ea3dcc3dc245f83e4d2e2a309bc69ef924f1d0fc18c6c16826244f3a532941816eb004bd214f8817737d9cb86d8fc88cf40685d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7F57CBE0E6D045D08C775BD6E78F5F29.TMP

Filesize
652B

MD5
36db98265e38d17187baf832a5be2974

SHA1
6d15c02bcb014c46d2c76970067c42232a78938f

SHA256
1286ccddfa570476d35085a6fccd91fae9f95662f5e98fefa89b36fc4141fd4d

SHA512
b23e141838836864634f07f39176eb5b75df05727ac237817d4e4d72248643eff26e64f6c80b2096cc7c3a073f32f3e1aa16ee3680cb5cb674a0a91f9b567b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8182C01CA84F45B7B4B450FCC7B8EEC.TMP

Filesize
652B

MD5
4eaf6abc2478d8fb666f53b30515c849

SHA1
8157efc4b0215c58fb83ce2ea946a02432f7316a

SHA256
9675df5c5b5ac1d3ab8818a147e65492f95bd6c3c4efb19138db6e6fd10ae9e2

SHA512
11c2cb5c1ce5dfc8769ae765ffb45be9fb72a0b09c0cfc3ffc8f55f0416ab3e5e2d9107798bb0fc87309f404160cc7c2deb53681abd0a91ddb4024346d572c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB7479328DA0D453EB5B22468C379B357.TMP

Filesize
652B

MD5
29dfa63222176011a9aca3a1b0d2f884

SHA1
1d0bb712cd2b7e053d01adb305c3c9609cd4b5c8

SHA256
a2f6ad3033c511d8666d864f0927686258e39c75abecc44ef065ec3b43af4c3b

SHA512
a354eba887ca3cede87ddd19a7bbc32394fdc9d9d06864d01c77de536708ba6b1423cf2487b2bf3b3733af1226550323488af5cb4ae14ce23df88f949759e30b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBC521FB8BE994EBBADB29993B3FA81F9.TMP

Filesize
652B

MD5
2510505f4ce6e4921de5554d96043b06

SHA1
4c70a08def978516b951cd5ca968adb2542020e5

SHA256
bd9701c2bef74499fa4bee20f98ce4dfb8ae027b683946f717e8fce48fc361e6

SHA512
00c49565dc5c9b86ac1c34dfb0b84a2961fb5dd023d76a019e124633a60a85dde461c989144413037a27b9bc4ad36bcf9c19e3f27057f5e43cac26b55ae764ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE94CCB758FF94E80B19B4C97964CF729.TMP

Filesize
652B

MD5
c0e7b82e1cdc3f81a41c67b4b7842bf6

SHA1
9ddecfba3592e418795a57f9d0af6edfd1594fad

SHA256
299d9917014699669570e8e94152b3623da626fcd1ba4d1cd7965238c1ce1226

SHA512
cad5074659a0caf68493d9c153237d8d030cfaf3947af88b0fcbd997c30575b69d3f116a552b9237775129f470bcd60673e6136030cd12abea997627e2670993

Download Submit
C:\Users\Admin\AppData\Local\Temp\vg0z9yhz.cmdline

Filesize
317B

MD5
3e262669515abe4aebc2fa2bc557a260

SHA1
602332cf1bd889f741947468cf90585b31ddf486

SHA256
8cead958feb37c4098b70c8fec4ee1be4ee7737409c28f102346ab45b34ad2d7

SHA512
2520df3a8625587c84d603921eae0610f8426a6985492ef9a5f24940e8033af1c1744888ef505b533a06cad66cc26262dd15768bf3b81095a50c44d79769f9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vg0z9yhz.dll

Filesize
6KB

MD5
1abd9b9842324c39fa62e122805f869a

SHA1
2051470db1402c5546f1991dc869a63531184207

SHA256
49f500cddf039b32037673edca2c03beb55c26c3ddb75da4b899265740967fa7

SHA512
a5822fe2b1567e9f32738953a9484b8361560b2868917632368481504633912f34cc1bfbb3a0e63a4026196cc58fb30d34dc3763ef79ebb89bdd3ea96545fb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\w36aaxxt.cmdline

Filesize
317B

MD5
34a3231971f1d3a7a7d433947c490592

SHA1
06d1734475e7ab86aa95268e8ad5733406750d7c

SHA256
a5eec353c7f047f3cc2d1c96417f363f13ffedc92ee9496b709782c130e5e3ba

SHA512
1484b92c63a9042d9e097819e4d295b2d5f36a090e8c0a88d6adc8fc26dbbd1599b3a9625fb309b31a8758b13ceef4a3fc5b2d6514342b9b0d3246991f7d40b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\w36aaxxt.dll

Filesize
6KB

MD5
db12ea6dd1715aab8dd4ac6dae5ef796

SHA1
7dc5d24fd945a53e317ea5af91a4a5c337a2433d

SHA256
7677871480f9a6a71f17923f94312d60c2d8b175d6da3082f1b34dfcc8a13989

SHA512
09d123edac9182f1b5066a51a5ee39f16891e5d149ed68b427d44115bd1c9a37b5476a08be40d0552fdcfd0d1b92cd1996fe3e56686f87076e086ce9a97d34ba

Download Submit
C:\Users\Admin\AppData\Roaming\Deactivater.exe

Filesize
184KB

MD5
e0e5846962a8942d9ac873f2e952cc05

SHA1
49a9c6f2864de2232787e1e1d4d9de31e7f4a1dc

SHA256
52e200398835957eaca7eaa6ec3ce6fed2bddf4288511e6048b4dd8ca1205034

SHA512
8777886b25e97da85bbadd29f7914b115b4dbe2f2759cb989cbc3dc9a02516316dcede65e50f72d3b02c2f205b721010a4e2d461c2b8ddf2f0fb158351258af3

Download Submit
C:\Users\Admin\AppData\Roaming\ahekoha.exe

Filesize
798KB

MD5
832619868d13460e2eeb2c66faa414af

SHA1
4a8070c5b9afeb8b3847e83cbcec853b8c3ce0a5

SHA256
44f187a4a6e8ef33b6134e65e3a281296d7abbb1b07937f825588d5c54349cd5

SHA512
65c48b9ea134157442e1b338e49e1bb3366d460dc4658536aefb156738b8a2f11f2c6ef543b855394debbd0313686b07814390ec0d8c100e56968c1f7d4b867a

Download Submit
C:\Users\Admin\AppData\Roaming\fp.txt

Filesize
106B

MD5
d1bd75efa76d7dc5f21704e38dd5eaae

SHA1
6f90aa514e42ac10618de8085dc0a499f64bdbed

SHA256
6740cd18df26978f235a08558b69f95925b964d9d05a1bb300e11a8ce3d8669b

SHA512
cd012eb0c34f14a95c82090a0d37db2d7ae9d51730de02ddb6dde2c8144ac5f8cada26f116cdf8826bdc0313b48eb48e3d3beb425d85ae32e64feafb1fffb19e

Download Submit
C:\Users\Admin\AppData\Roaming\sched.exe

Filesize
7KB

MD5
c78d96b8ca9409feaf75be866520e280

SHA1
35d43949bdf347c94b1fc45a9b3baeda6ee85c0f

SHA256
c2b0439a66b4dfd4cdcd505a00facdfcc17515bfb29a38f029bd706ea4d26155

SHA512
aecc4ffbc2584e6f483d2859635767f55a6d26eecd204178a3f5bcb4e7e71e6698bb68e552899d5710eda0762843fddf6a03a8db1a7164bd290953af97bf5be3

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/960-27-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/960-32-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/2128-123-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2128-109-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2128-110-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2128-111-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4256-157-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4256-158-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4256-165-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4256-163-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4256-161-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4256-160-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4256-159-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4640-38-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4640-44-0x0000000000450000-0x0000000000519000-memory.dmp

Filesize
804KB

Download
memory/4640-46-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4640-36-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5152-2-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/5152-1-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/5152-0-0x0000000074922000-0x0000000074923000-memory.dmp

Filesize
4KB

Download
memory/5152-78-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/6028-7-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/6028-16-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download