darkcomet | c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9

Analysis

max time kernel
150s
max time network
72s
platform
windows7_x64
resource
win7
submitted
24-06-2020 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exe
Size

932KB
MD5

1dc80685c258916d30f9bf2365d76ff5
SHA1

bc0111105913d61308b5164833d31574d0391543
SHA256

c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9
SHA512

7bf344038fc679919f30f93070c666c5409d76f81b8a79cf6aeda9d356ad7b9b570de0e994b4dd20096e3b3869b63ad496361f08bbd24eaa3eea6580aa965ba2

Score

10^/10

darkcomet test server persistence rat spyware stealer trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Test Server

127.0.0.1:1604

Mutex

DC_MUTEX-4XKPULH

Attributes

gencode
LBSgYfRa7QDe
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

STEWART LOGO.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	STEWART LOGO.EXE

Executes dropped EXE 6 IoCs

Processes:

taskmgr.exeSTEWART LOGO.EXESTEWART LOGO.EXEsvchost.comnotepad.exesvchost.com

pid process

1304 taskmgr.exe
1548 STEWART LOGO.EXE
1224 STEWART LOGO.EXE
1608 svchost.com
1892 notepad.exe
564 svchost.com

pid	process
1304	taskmgr.exe
1548	STEWART LOGO.EXE
1224	STEWART LOGO.EXE
1608	svchost.com
1892	notepad.exe
564	svchost.com

Loads dropped DLL 13 IoCs

Processes:

c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exetaskmgr.exeSTEWART LOGO.EXESTEWART LOGO.EXEsvchost.comsvchost.com

pid	process
1032	c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exe
1304	taskmgr.exe
1304	taskmgr.exe
1548	STEWART LOGO.EXE
1548	STEWART LOGO.EXE
1548	STEWART LOGO.EXE
1548	STEWART LOGO.EXE
1548	STEWART LOGO.EXE
1224	STEWART LOGO.EXE
1608	svchost.com
1608	svchost.com
1608	svchost.com
564	svchost.com

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\facebook.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\facebook.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exeSTEWART LOGO.EXE

description	pid	process	target process
PID 1032 set thread context of 1304	1032	c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exe	taskmgr.exe
PID 1224 set thread context of 1892	1224	STEWART LOGO.EXE	notepad.exe

Drops file in Program Files directory 64 IoCs

Processes:

STEWART LOGO.EXEsvchost.com

description	ioc	process
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~1.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\Google\Temp\GUM2396.tmp\GOFB2B~1.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOF5E2~1.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\Google\Chrome\APPLIC~1\CHROME~1.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~3.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOFB2B~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\Google\Chrome\APPLIC~1\chrome.exe	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOBD5D~1.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\Google\Chrome\APPLIC~1\830410~1.106\INSTAL~1\setup.exe	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\Google\Chrome\APPLIC~1\830410~1.106\NOTIFI~1.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GO664E~1.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOFB2B~1.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~4.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\Google\Chrome\APPLIC~1\830410~1.106\CHROME~1.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\Google\Chrome\APPLIC~1\830410~1.106\ELEVAT~1.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	STEWART LOGO.EXE
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~2.EXE	STEWART LOGO.EXE

Drops file in Windows directory 5 IoCs

Processes:

svchost.comSTEWART LOGO.EXEsvchost.com

description	ioc	process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	STEWART LOGO.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

STEWART LOGO.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	STEWART LOGO.EXE

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

1364 reg.exe
1944 reg.exe

pid	process
1364	reg.exe
1944	reg.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exeSTEWART LOGO.EXEnotepad.exe

description	pid	process
Token: SeDebugPrivilege	1032	c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exe
Token: SeDebugPrivilege	1224	STEWART LOGO.EXE
Token: SeIncreaseQuotaPrivilege	1892	notepad.exe
Token: SeSecurityPrivilege	1892	notepad.exe
Token: SeTakeOwnershipPrivilege	1892	notepad.exe
Token: SeLoadDriverPrivilege	1892	notepad.exe
Token: SeSystemProfilePrivilege	1892	notepad.exe
Token: SeSystemtimePrivilege	1892	notepad.exe
Token: SeProfSingleProcessPrivilege	1892	notepad.exe
Token: SeIncBasePriorityPrivilege	1892	notepad.exe
Token: SeCreatePagefilePrivilege	1892	notepad.exe
Token: SeBackupPrivilege	1892	notepad.exe
Token: SeRestorePrivilege	1892	notepad.exe
Token: SeShutdownPrivilege	1892	notepad.exe
Token: SeDebugPrivilege	1892	notepad.exe
Token: SeSystemEnvironmentPrivilege	1892	notepad.exe
Token: SeChangeNotifyPrivilege	1892	notepad.exe
Token: SeRemoteShutdownPrivilege	1892	notepad.exe
Token: SeUndockPrivilege	1892	notepad.exe
Token: SeManageVolumePrivilege	1892	notepad.exe
Token: SeImpersonatePrivilege	1892	notepad.exe
Token: SeCreateGlobalPrivilege	1892	notepad.exe
Token: 33	1892	notepad.exe
Token: 34	1892	notepad.exe
Token: 35	1892	notepad.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

276 DllHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

notepad.exe

pid process

1892 notepad.exe

pid	process
276	DllHost.exe

pid	process
1892	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.execmd.exetaskmgr.exeSTEWART LOGO.EXESTEWART LOGO.EXEsvchost.comcmd.exesvchost.comcmd.exe

description	pid	process	target process
PID 1032 wrote to memory of 1204	1032	c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exe	cmd.exe
PID 1032 wrote to memory of 1204	1032	c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exe	cmd.exe
PID 1032 wrote to memory of 1204	1032	c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exe	cmd.exe
PID 1032 wrote to memory of 1204	1032	c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exe	cmd.exe
PID 1204 wrote to memory of 1364	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 1364	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 1364	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 1364	1204	cmd.exe	reg.exe
PID 1032 wrote to memory of 1304	1032	c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exe	taskmgr.exe
PID 1032 wrote to memory of 1304	1032	c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exe	taskmgr.exe
PID 1032 wrote to memory of 1304	1032	c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exe	taskmgr.exe
PID 1032 wrote to memory of 1304	1032	c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exe	taskmgr.exe
PID 1032 wrote to memory of 1304	1032	c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exe	taskmgr.exe
PID 1032 wrote to memory of 1304	1032	c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exe	taskmgr.exe
PID 1032 wrote to memory of 1304	1032	c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exe	taskmgr.exe
PID 1032 wrote to memory of 1304	1032	c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exe	taskmgr.exe
PID 1032 wrote to memory of 1304	1032	c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exe	taskmgr.exe
PID 1032 wrote to memory of 1304	1032	c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exe	taskmgr.exe
PID 1032 wrote to memory of 1304	1032	c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exe	taskmgr.exe
PID 1304 wrote to memory of 1548	1304	taskmgr.exe	STEWART LOGO.EXE
PID 1304 wrote to memory of 1548	1304	taskmgr.exe	STEWART LOGO.EXE
PID 1304 wrote to memory of 1548	1304	taskmgr.exe	STEWART LOGO.EXE
PID 1304 wrote to memory of 1548	1304	taskmgr.exe	STEWART LOGO.EXE
PID 1548 wrote to memory of 1224	1548	STEWART LOGO.EXE	STEWART LOGO.EXE
PID 1548 wrote to memory of 1224	1548	STEWART LOGO.EXE	STEWART LOGO.EXE
PID 1548 wrote to memory of 1224	1548	STEWART LOGO.EXE	STEWART LOGO.EXE
PID 1548 wrote to memory of 1224	1548	STEWART LOGO.EXE	STEWART LOGO.EXE
PID 1224 wrote to memory of 1608	1224	STEWART LOGO.EXE	svchost.com
PID 1224 wrote to memory of 1608	1224	STEWART LOGO.EXE	svchost.com
PID 1224 wrote to memory of 1608	1224	STEWART LOGO.EXE	svchost.com
PID 1224 wrote to memory of 1608	1224	STEWART LOGO.EXE	svchost.com
PID 1608 wrote to memory of 1660	1608	svchost.com	cmd.exe
PID 1608 wrote to memory of 1660	1608	svchost.com	cmd.exe
PID 1608 wrote to memory of 1660	1608	svchost.com	cmd.exe
PID 1608 wrote to memory of 1660	1608	svchost.com	cmd.exe
PID 1224 wrote to memory of 1892	1224	STEWART LOGO.EXE	notepad.exe
PID 1224 wrote to memory of 1892	1224	STEWART LOGO.EXE	notepad.exe
PID 1224 wrote to memory of 1892	1224	STEWART LOGO.EXE	notepad.exe
PID 1224 wrote to memory of 1892	1224	STEWART LOGO.EXE	notepad.exe
PID 1224 wrote to memory of 1892	1224	STEWART LOGO.EXE	notepad.exe
PID 1224 wrote to memory of 1892	1224	STEWART LOGO.EXE	notepad.exe
PID 1224 wrote to memory of 1892	1224	STEWART LOGO.EXE	notepad.exe
PID 1224 wrote to memory of 1892	1224	STEWART LOGO.EXE	notepad.exe
PID 1224 wrote to memory of 1892	1224	STEWART LOGO.EXE	notepad.exe
PID 1224 wrote to memory of 1892	1224	STEWART LOGO.EXE	notepad.exe
PID 1224 wrote to memory of 1892	1224	STEWART LOGO.EXE	notepad.exe
PID 1224 wrote to memory of 1892	1224	STEWART LOGO.EXE	notepad.exe
PID 1224 wrote to memory of 1892	1224	STEWART LOGO.EXE	notepad.exe
PID 1660 wrote to memory of 1944	1660	cmd.exe	reg.exe
PID 1660 wrote to memory of 1944	1660	cmd.exe	reg.exe
PID 1660 wrote to memory of 1944	1660	cmd.exe	reg.exe
PID 1660 wrote to memory of 1944	1660	cmd.exe	reg.exe
PID 1224 wrote to memory of 564	1224	STEWART LOGO.EXE	svchost.com
PID 1224 wrote to memory of 564	1224	STEWART LOGO.EXE	svchost.com
PID 1224 wrote to memory of 564	1224	STEWART LOGO.EXE	svchost.com
PID 1224 wrote to memory of 564	1224	STEWART LOGO.EXE	svchost.com
PID 564 wrote to memory of 568	564	svchost.com	cmd.exe
PID 564 wrote to memory of 568	564	svchost.com	cmd.exe
PID 564 wrote to memory of 568	564	svchost.com	cmd.exe
PID 564 wrote to memory of 568	564	svchost.com	cmd.exe
PID 568 wrote to memory of 1376	568	cmd.exe	choice.exe
PID 568 wrote to memory of 1376	568	cmd.exe	choice.exe
PID 568 wrote to memory of 1376	568	cmd.exe	choice.exe
PID 568 wrote to memory of 1376	568	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exe
"C:\Users\Admin\AppData\Local\Temp\c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /V chrome.exe /T REG_SZ /D C:\Users\Admin\AppData\Local\Temp\chrome.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /V chrome.exe /T REG_SZ /D C:\Users\Admin\AppData\Local\Temp\chrome.exe
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1364

C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\STEWART LOGO.EXE
"C:\Users\Admin\AppData\Local\Temp\STEWART LOGO.EXE"
3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Local\Temp\3582-490\STEWART LOGO.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\STEWART LOGO.EXE"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /V facebook.exe /T REG_SZ /D C:\Users\Admin\AppData\Local\Temp\facebook.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /C REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /V facebook.exe /T REG_SZ /D C:\Users\Admin\AppData\Local\Temp\facebook.exe
6⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /V facebook.exe /T REG_SZ /D C:\Users\Admin\AppData\Local\Temp\facebook.exe
7⤵
- Adds Run key to start application
- Modifies registry key
PID:1944

C:\Users\Admin\AppData\Local\Temp\notepad.exe
C:\Users\Admin\AppData\Local\Temp\notepad.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1892

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del C:\Users\Admin\AppData\Local\Temp\3582-490\STEWART LOGO.EXE
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /C choice /C Y /N /D Y /T 3 & Del C:\Users\Admin\AppData\Local\Temp\3582-490\STEWART LOGO.EXE
6⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
7⤵
PID:1376

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9730F~1\ose.exe
MD5
6cd2df651dc85a4e83f2a41175de1698

SHA1
800f6384a60a691cd4bff15157887d16af912406

SHA256
d387e1092ebc476e84d89f9fcef7636657bdf510472abde319cca49839c3fdf0

SHA512
056c1a11814f8954dc447ca5865bf0c34061e09c66352f62681b82246e1d6e6040770fe6c0cee92f2ba3b463ab41358cbcfd53877e4436e54dea2d850355177f

Download Submit
C:\MSOCache\ALLUSE~1\{9730F~1\setup.exe
MD5
ecebfdda539dc1625cb96192a346b352

SHA1
540e81daf0010fe244d0597a36a69977f90ba640

SHA256
0d49226b68b857cebf61e1d88b4b657fc36c8555b47f6ad0dde78dd3d519f63c

SHA512
cd649088ca33f8a3a16c691fdb0b06ec11c0aee2812915330636f9b0b098bec544ec92ee93b29f62c516f9be39a23577070336c0d92df273b19fc8e4cbf4d68c

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE
MD5
831270ac3db358cdbef5535b0b3a44e6

SHA1
c0423685c09bbe465f6bb7f8672c936e768f05a3

SHA256
a8f78ac26c738b13564252f1048ca784bf152ef048b829d3d22650b7f62078f0

SHA512
f64a00977d4b6f8c43f53cee7bb450f3c8cbef08525975055fde5d8c515db32d2bfad92e99313b3a10a72a50dd09b4ffe28e9af4c148c6480622ba486776e450

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE
MD5
8c4f4eb73490ca2445d8577cf4bb3c81

SHA1
0f7d1914b7aeabdb1f1e4caedd344878f48be075

SHA256
85f7249bfac06b5ee9b20c7f520e3fdc905be7d64cfbefb7dcd82cd8d44686d5

SHA512
65453075c71016b06430246c1ee2876b7762a03112caf13cff4699b7b40487616c88a1160d31e86697083e2992e0dd88ebf1721679981077799187efaa0a1769

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE
MD5
eef2f834c8d65585af63916d23b07c36

SHA1
8cb85449d2cdb21bd6def735e1833c8408b8a9c6

SHA256
3cd34a88e3ae7bd3681a7e3c55832af026834055020add33e6bd6f552fc0aabd

SHA512
2ee8766e56e5b1e71c86f7d1a1aa1882706d0bca8f84b2b2c54dd4c255e04f037a6eb265302449950e5f5937b0e57f17a6aa45e88a407ace4b3945e65043d9b7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe
MD5
3ec4922dbca2d07815cf28144193ded9

SHA1
75cda36469743fbc292da2684e76a26473f04a6d

SHA256
0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801

SHA512
956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe
MD5
e1833678885f02b5e3cf1b3953456557

SHA1
c197e763500002bc76a8d503933f1f6082a8507a

SHA256
bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14

SHA512
fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe
MD5
2f6f7891de512f6269c8e8276aa3ea3e

SHA1
53f648c482e2341b4718a60f9277198711605c80

SHA256
d1ee54eb64f31247f182fd62037e64cdb3876e1100bc24883192bf46bab42c86

SHA512
c677f4f7bfb2e02cd0babed896be00567aad08304cbff3a85fcc9816b10247fedd026fee769c9bd45277a4f2814eabe6534f0b04ea804d0095a47a1477188dd6

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE
MD5
6a091285d13370abb4536604b5f2a043

SHA1
8bb4aad8cadbd3894c889de85e7d186369cf6ff1

SHA256
909205de592f50532f01b4ac7b573b891f7e6e596b44ff94187b1ba4bcc296bb

SHA512
9696e4f60a5b1166535ca8ca3fb495d718086463d1a12fa1facc08219ad5b918208ddd2a102f7955e29153b081e05985c4ae6e4302ab36d548bb62991a47db18

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE
MD5
7ce8bcabb035b3de517229dbe7c5e67d

SHA1
8e43cd79a7539d240e7645f64fd7f6e9e0f90ab9

SHA256
81a3a1dc3104973a100bf8d114b6be35da03767a0cbbaf925f970ffcbe5f217c

SHA512
be7fcd50b4f71b458ca001b7c019bf1169ec089d7a1ce05355134b11cbe75a5a29811f9efec803877aeb1a1d576ea2628926e0131361db23214275af6e89e80c

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE
MD5
a741183f8c4d83467c51abab1ff68d7b

SHA1
ddb4a6f3782c0f03f282c2bed765d7b065aadcc6

SHA256
78be3aeb507db7e4ee7468c6b9384ee0459deebd503e06bd4988c52247ecea24

SHA512
c15dbecc0754a662892ecaff4b9b6c1bad46f710d8e1b973f86eaee467444f8e5764b31ace8f5a9a5e936947cc4dcb97cb1b14a6930c1025f38a3544393b6b18

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe
MD5
467aee41a63b9936ce9c5cbb3fa502cd

SHA1
19403cac6a199f6cd77fc5ac4a6737a9a9782dc8

SHA256
99e5bea5f632ef4af76e4e5108486d5e99386c3d451b983bcd3ad2a49cc04039

SHA512
00c9ccdbbd6fd1be0c2dafd485d811be9bf2076d4efeabc256179befd92679b964e80edcb90ef21f3e874578fdb0003878227f560ca76498865770280f87113e

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE
MD5
46e43f94482a27df61e1df44d764826b

SHA1
8b4eab017e85f8103c60932c5efe8dff12dc5429

SHA256
dc6658dec5bf89f65f2d4b9bdb27634bac0bf5354c792bc8970a2b39f535facd

SHA512
ce5bdd3f9a2394ffda83c93fc5604d972f90bd72e6aded357bdf27a2b21a0469f6ac71ce40d9fb4ed8c845468c4171a3c5b4501edbae79447c4f4e08342d4560

Download Submit
C:\PROGRA~2\Google\Chrome\APPLIC~1\830410~1.106\CHROME~1.EXE
MD5
99421d9ee24e24bde2aa5cd25d30f988

SHA1
06eb8c51c373657f9dd877951b648186671d5876

SHA256
73e1c4907b69f42b18c0a6d8a82931cd03c6b197aa010557c651ec36f57f5629

SHA512
7aa37479c98c6f873b3a9335963a4f44bf1b4c016cdc1b637ad64d419d217723a53ea0666ac47abb9bf9cf7d2858ffe942af46939dfe201d96fe312ece4b0d73

Download Submit
C:\PROGRA~2\Google\Chrome\APPLIC~1\830410~1.106\ELEVAT~1.EXE
MD5
d109e5053ee05d9f8801120cda8d2c3f

SHA1
ad33280a4f490f61e9978332668afc2421b15fe7

SHA256
bc9205aef1016d3836d53392d61282b005f4d0b19e34b2ed073139aacaeb3f73

SHA512
0454d33cf4d99d1dfba14a5a1262ed72441543b6d3611878233b89390430a61838153c7bcc4d623e20eda33a01b4164c9588da2e5cef12b0338e050a6d080955

Download Submit
C:\PROGRA~2\Google\Chrome\APPLIC~1\830410~1.106\INSTAL~1\chrmstp.exe
MD5
8a067e93ba1a7b892ec17996d6530678

SHA1
572e32c8a8b8a5ffbdb03ed267b6531f955a427a

SHA256
f6aa20d7e7b9b869087fa0153977ca1845f6ad1049be6f371ace2b8e945cddbe

SHA512
173d4d5a698ecc3cd6501886a8f42d117bb01b416809ba2f6eb1e8a55f00521d42de37ea10a72c256627367345c232baabb3c7428aa564b29ca9f349cae9a3a5

Download Submit
C:\PROGRA~2\Google\Chrome\APPLIC~1\830410~1.106\INSTAL~1\setup.exe
MD5
8a067e93ba1a7b892ec17996d6530678

SHA1
572e32c8a8b8a5ffbdb03ed267b6531f955a427a

SHA256
f6aa20d7e7b9b869087fa0153977ca1845f6ad1049be6f371ace2b8e945cddbe

SHA512
173d4d5a698ecc3cd6501886a8f42d117bb01b416809ba2f6eb1e8a55f00521d42de37ea10a72c256627367345c232baabb3c7428aa564b29ca9f349cae9a3a5

Download Submit
C:\PROGRA~2\Google\Chrome\APPLIC~1\830410~1.106\NOTIFI~1.EXE
MD5
afbf52bd669d92598bba9c1aa4baf644

SHA1
7bc5bb609c0968e0e047a80eec4d7d555c622358

SHA256
d2111bcd37af47bd682c5c1d8cf0354987ff95c0e48ed8f2e0c48e72ea82b59c

SHA512
e90435505ad51752b0c893aaad3753baab979564b607a14a2157504937e45a5dfacf650f0e6b2ab8c0af08f4921246fdd8aa319ad5821914b72191ac3466231e

Download Submit
C:\PROGRA~2\Google\Chrome\APPLIC~1\CHROME~1.EXE
MD5
08273ab034960cd7ee287b22f7bcc8bc

SHA1
1114cd5cf55d3953fb112c2f9e2f9c5db5cead31

SHA256
b01b938f2ea8f5f027c87966962e0808cc40f899e1b2766c4934166a39b63156

SHA512
fc5a814d8943abc2c4e2ba1a9033a756b7403ceb155d204358f692d1d438c1689178a2ca03bb7749f74dd1a544d9b5fb187d701a10fea8941477409e359276d4

Download Submit
C:\PROGRA~2\Google\Chrome\APPLIC~1\chrome.exe
MD5
f374bd18a71d5c53e1492804e32d610e

SHA1
23b96a4cecea5fe7242e435a36f332d59f4218f5

SHA256
88aa1801d113efa6b9bb43757ca439c39e0c210c34f2ad75c154a76f684d93f7

SHA512
6ae05331a794c98f0294d33ac2495c09ab346ebfc1cf892d0a75b2bfa538723d71da3e250501c6bab45298ee8e327ef20e70e499cafcbe751a6a37170e6a24fd

Download Submit
C:\PROGRA~2\Google\Update\1335~1.452\GO664E~1.EXE
MD5
f4ecc57e068a5f90dfb3ec022a4b30c1

SHA1
53b58bef5bcc0cb9c678e284740a1bdaed0d14e7

SHA256
0d365ee501c96d9a391dbc81443ec14322bc9269ff07513051c44ecc055c1f4e

SHA512
f9e40b4e355617416d3958d395d29223cf4d62e9075ab46d0aad4bb7aeb23b1f419ebef67322166fc397a02b66717d651e1c3bf9da28e8b0c9169b7c6f1637cd

Download Submit
C:\PROGRA~2\Google\Update\1335~1.452\GOBD5D~1.EXE
MD5
9f095fd38a056ab1aa71309220bc886d

SHA1
80ce01bd81ea5416f24ddfc93e63ceb1854425d9

SHA256
a4f6aa10ff4e7f72b4133aae045d7a952b2cb977c39b06bd4098775472e23b31

SHA512
38ad80439f02d3a979652f13068a2aadab1ba9425d0757d65967edc40ff675dc38716d1ad3d4306818ae5262d249514d3de7035659624fcf047113316d36c9b0

Download Submit
C:\PROGRA~2\Google\Update\1335~1.452\GOF5E2~1.EXE
MD5
1f0d994bb7164b099287721173745da7

SHA1
8ef14c6c070ebaa67615ba6b890d514486009e6f

SHA256
6392a286f460ee4e898d56ff069fdcf149643ca1b07a1250a45ae4a3a12d1681

SHA512
cf9bc3668b2c8109f367b8e6ac90d81b2d632e56eab2598b08c341655b981c1ace95730cc3e5bd9daa2d6cc72c610fcf63017000eb3e9848bf26cb8a2109ecb8

Download Submit
C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~1.EXE
MD5
b47299885583124a8f74404cca0d46f2

SHA1
87a1e47318a1316040599e308e2dc4c32f57cfc4

SHA256
6f368768df55b8caba8ba93a18c984466d66c19275cb5f795e54cedbe0b7d3d3

SHA512
39e7818470b1f2c92436b3725916c8780ade4c5476b4d36fef629dd8f3fe59dbb3933a6217f792234f3ce9681cb7fc052b6015e71f2e101002bf72c90af58d6b

Download Submit
C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~2.EXE
MD5
4153665f3c3f729da64224cf1b354cf7

SHA1
9365df7a026df76bb58463f55ad5dadc71d0896d

SHA256
a8dc8271ed6f0cdd6049d21b712c3e6532a2daa3ba407c75bae3e06ef3003e0d

SHA512
ad4dd0576c527bf0969c5d108b44637b63a3ec31c497418ed45de3d115a0e846b957ee1d1c5fb09f2e4071e53c058513ffdae7206be20e062672f07eb823e559

Download Submit
C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~3.EXE
MD5
3dcdb9d3f49c70a5d165cb24ce5f3796

SHA1
fce23fe7e15ebd2871d64b871f6b0cac114ae569

SHA256
a410c6dc3aebca60dd9069aafa6ce3cafb515dd19b801bcc585127de02dbebd2

SHA512
35889305c37e6af0178247cec92e7627f37cfc74b4484858ef3381e9852560659aafb4fd1125f3a2b5b2518390e17684ca989a7ffce9ab6aa4b73007a04ad434

Download Submit
C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~4.EXE
MD5
326a4d1e16ffa388b433a89b0f23847f

SHA1
664b4e5e10c42801df59a9ccc8722d07ea31d06e

SHA256
66ea19cae95aec6a6e318b94d27739c81922241cd09707687be788fe8e7a9944

SHA512
987a7028779f9147865ab82e91bb87757db32ab2a8d7c3eca9df467d57807d86266327c1fcfe45ea16c71cf5454149eba63bfefc736f37b3c54bba1e0ba72b93

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE
MD5
b47299885583124a8f74404cca0d46f2

SHA1
87a1e47318a1316040599e308e2dc4c32f57cfc4

SHA256
6f368768df55b8caba8ba93a18c984466d66c19275cb5f795e54cedbe0b7d3d3

SHA512
39e7818470b1f2c92436b3725916c8780ade4c5476b4d36fef629dd8f3fe59dbb3933a6217f792234f3ce9681cb7fc052b6015e71f2e101002bf72c90af58d6b

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE
MD5
44623cc33b1bd689381de8fe6bcd90d1

SHA1
187d4f8795c6f87dd402802723e4611bf1d8089e

SHA256
380154eab37e79ed26a7142b773b8a8df6627c64c99a434d5a849b18d34805ba

SHA512
19002885176caceb235da69ee5af07a92b18dac0fb8bb177f2c1e7413f6606b1666e0ea20f5b95b4fa3d82a3793b1dbe4a430f6f84a991686b024c4e11606082

Download Submit
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE
MD5
f2056a3543ba9b6b6dde4346614b7f82

SHA1
139129616c3a9025a5cb16f9ad69018246bd9e2d

SHA256
2bab7d64d5327ca21ffd13df88b30431d0b8c0dd6cad8f4bb4db33eeb2b37d1e

SHA512
e11d1c65e046a0a6817cec4d17df1b7f5849fdb5b95527fdef78f0c433294fd2186037116a581ec3a66b07f1ab75cd8e60e408005cd64bc5eacc61a582da0942

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE
MD5
e7d2d4bedb99f13e7be8338171e56dbf

SHA1
8dafd75ae2c13d99e5ef8c0e9362a445536c31b5

SHA256
c8ef54853df3a3b64aa4b1ecfb91615d616c7ff998589e5a3434118611ad2a24

SHA512
2017dea799cc03b02a17e3616fb6fbe8c86ab2450b1aaf147fce1e67cc472ded12befd686d395386ffdaa992145996eb421d61d3a922cea45e94ac40eef76adc

Download Submit
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE
MD5
87f15006aea3b4433e226882a56f188d

SHA1
e3ad6beb8229af62b0824151dbf546c0506d4f65

SHA256
8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

SHA512
b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

Download Submit
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
MD5
07e194ce831b1846111eb6c8b176c86e

SHA1
b9c83ec3b0949cb661878fb1a8b43a073e15baf1

SHA256
d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

SHA512
55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

Download Submit
C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE
MD5
fa982a173f9d3628c2b3ff62bd8a2f87

SHA1
2cfb18d542ae6b6cf5a1223f1a77defd9b91fa56

SHA256
bc5d80d05a1bd474cb5160782765bf973ba34ea25dedf7e96dfaf932b9935032

SHA512
95ca9066a2e5272494b8e234220b6028c14892679023ca70801475c38d341032363589375ec6ffc4cde3416dd88d0e3082d315f7beddccdf014122ddd0a90644

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\STEWART LOGO.EXE
MD5
b5a5dae6ce963243beaa8b08c8576822

SHA1
eef26c3f11a1798c479aea4fd95cd9178c46e4b3

SHA256
6240cd22f256c31bd6c31f5cbca98b749c0e5dc33d9ccf10fb5a5c9523accfb2

SHA512
203f1aafbc3747e045136791d8b0068b3651b75814096f6dbaa1f9c48e41658e4f65f4a0d9f03ec265250eb5a77c34e12c130ce5186b1f5dc2d1fb6c8cf50277

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\STEWART LOGO.EXE
MD5
b5a5dae6ce963243beaa8b08c8576822

SHA1
eef26c3f11a1798c479aea4fd95cd9178c46e4b3

SHA256
6240cd22f256c31bd6c31f5cbca98b749c0e5dc33d9ccf10fb5a5c9523accfb2

SHA512
203f1aafbc3747e045136791d8b0068b3651b75814096f6dbaa1f9c48e41658e4f65f4a0d9f03ec265250eb5a77c34e12c130ce5186b1f5dc2d1fb6c8cf50277

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F8F9A99109C75EE60B11E016792E512DB4037E1-500.JPG
MD5
77b3ba75feac03d31d300efcbd1bc496

SHA1
c7a9adfcb7e9828b4c547c3ecc41a3a98deb4b0d

SHA256
4ccb5d2cc16a3e6af650def87a9ba2ad1e501245d9fb2dbcbd850cf6540cd2f2

SHA512
7cec6305dacfaee335c182d786cc64f3cc9e13888f605d0084d2e09f549a9eac031591ac4c7ef5f858a5a469b5593ce37631b457b26d7799fbb5d6040d2b7332

Download Submit
C:\Users\Admin\AppData\Local\Temp\STEWART LOGO.EXE
MD5
997167d43f6cc1f33fa886fb8de58cbf

SHA1
8fec2ca96fe6430a3f751ff230f7d0a9bf269c80

SHA256
3fb5af71f925c4e6eb8e6e88045b828d14d715231b575dc42ea8ac6fe23f4222

SHA512
ad31cec86f57659d1ca6aa858e02480fce1c51dc6cbd0d0c2607db424ad1833b7b626a6d2d36781a9083313d42efe88394cf1bc18badfb293120e76cb18df713

Download Submit
C:\Users\Admin\AppData\Local\Temp\STEWART LOGO.EXE
MD5
997167d43f6cc1f33fa886fb8de58cbf

SHA1
8fec2ca96fe6430a3f751ff230f7d0a9bf269c80

SHA256
3fb5af71f925c4e6eb8e6e88045b828d14d715231b575dc42ea8ac6fe23f4222

SHA512
ad31cec86f57659d1ca6aa858e02480fce1c51dc6cbd0d0c2607db424ad1833b7b626a6d2d36781a9083313d42efe88394cf1bc18badfb293120e76cb18df713

Download Submit
C:\Users\Admin\AppData\Local\Temp\facebook.exe
MD5
b5a5dae6ce963243beaa8b08c8576822

SHA1
eef26c3f11a1798c479aea4fd95cd9178c46e4b3

SHA256
6240cd22f256c31bd6c31f5cbca98b749c0e5dc33d9ccf10fb5a5c9523accfb2

SHA512
203f1aafbc3747e045136791d8b0068b3651b75814096f6dbaa1f9c48e41658e4f65f4a0d9f03ec265250eb5a77c34e12c130ce5186b1f5dc2d1fb6c8cf50277

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad.exe
MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad.exe
MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
MD5
de033ab9fe6cfec9e446c1d4d823a595

SHA1
f85aa9fb156026977c9af89a884037d59812e8e8

SHA256
5075431ce55501f701f81c9b9844e1f3ac2d078997ae037b5ffdf34208750c72

SHA512
414bf01413e7f6eb6efb3519ccbbf803687c68a1f3c0ea6997d10c984f039546001d9bcebe118ff584497d1c23d076f5f316b9e128272b7aed74a24d3bbeb343

Download Submit
C:\Windows\directx.sys
MD5
7c57c44a8abac07bc7cb14fab7a45dbf

SHA1
44cbb038139dbefed11dd2d262b4013a7f4dfb0e

SHA256
b4f2f0d20b61a1897c343446affacbdee359819c9ff99e252e95e263542e5a84

SHA512
cc25df56587cd2c431cf86c7849967234f5462adca3e7709c0aeab8f15e6141e58b5f1d9c0f167c7caceea20e50216923681b7833258d9e64c6e919d5ddc09d4

Download Submit
C:\Windows\svchost.com
MD5
d4856c2f1b21b6cd673482299d321cb9

SHA1
5d5a95832065da4dca1ac44b02ea05486da691bb

SHA256
a9e8e5d7450ee374ebb1a60527b077edcf8dfcde3d743970335999dd4d839623

SHA512
2b84f96b876b4741ef2a45bea5dc38f9f2a96af18ee16e88ba8e8d3259240d11da0aa1985ae14939e9326b39186a8cbb4dd97a05555a00ef20f9fce2caeb1be4

Download Submit
C:\Windows\svchost.com
MD5
d4856c2f1b21b6cd673482299d321cb9

SHA1
5d5a95832065da4dca1ac44b02ea05486da691bb

SHA256
a9e8e5d7450ee374ebb1a60527b077edcf8dfcde3d743970335999dd4d839623

SHA512
2b84f96b876b4741ef2a45bea5dc38f9f2a96af18ee16e88ba8e8d3259240d11da0aa1985ae14939e9326b39186a8cbb4dd97a05555a00ef20f9fce2caeb1be4

Download Submit
C:\Windows\svchost.com
MD5
d4856c2f1b21b6cd673482299d321cb9

SHA1
5d5a95832065da4dca1ac44b02ea05486da691bb

SHA256
a9e8e5d7450ee374ebb1a60527b077edcf8dfcde3d743970335999dd4d839623

SHA512
2b84f96b876b4741ef2a45bea5dc38f9f2a96af18ee16e88ba8e8d3259240d11da0aa1985ae14939e9326b39186a8cbb4dd97a05555a00ef20f9fce2caeb1be4

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\Google\Temp\GUM2396.tmp\GOFB2B~1.EXE
MD5
583ff3367e050c4d62bc03516473b40a

SHA1
6aa1d26352b78310e711884829c35a69ed1bf0f9

SHA256
6b63f8dd47d8b3baa71b6cd205d428861b96bf09cf479071e75ddd23f97c0146

SHA512
e9bdd5cc2e29db48cc524488fbadb08e808f17f6e18fa595cfebae229c94f2547079e52a2ada214169577b89b2ffbef424729cd90acdea3774f5c76aec192be0

Download Submit
\PROGRA~2\Google\Temp\GUM2396.tmp\GOFB2B~1.EXE
MD5
583ff3367e050c4d62bc03516473b40a

SHA1
6aa1d26352b78310e711884829c35a69ed1bf0f9

SHA256
6b63f8dd47d8b3baa71b6cd205d428861b96bf09cf479071e75ddd23f97c0146

SHA512
e9bdd5cc2e29db48cc524488fbadb08e808f17f6e18fa595cfebae229c94f2547079e52a2ada214169577b89b2ffbef424729cd90acdea3774f5c76aec192be0

Download Submit
\PROGRA~2\Google\Update\1335~1.452\GOFB2B~1.EXE
MD5
583ff3367e050c4d62bc03516473b40a

SHA1
6aa1d26352b78310e711884829c35a69ed1bf0f9

SHA256
6b63f8dd47d8b3baa71b6cd205d428861b96bf09cf479071e75ddd23f97c0146

SHA512
e9bdd5cc2e29db48cc524488fbadb08e808f17f6e18fa595cfebae229c94f2547079e52a2ada214169577b89b2ffbef424729cd90acdea3774f5c76aec192be0

Download Submit
\PROGRA~2\Google\Update\1335~1.452\GOFB2B~1.EXE
MD5
583ff3367e050c4d62bc03516473b40a

SHA1
6aa1d26352b78310e711884829c35a69ed1bf0f9

SHA256
6b63f8dd47d8b3baa71b6cd205d428861b96bf09cf479071e75ddd23f97c0146

SHA512
e9bdd5cc2e29db48cc524488fbadb08e808f17f6e18fa595cfebae229c94f2547079e52a2ada214169577b89b2ffbef424729cd90acdea3774f5c76aec192be0

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\STEWART LOGO.EXE
MD5
b5a5dae6ce963243beaa8b08c8576822

SHA1
eef26c3f11a1798c479aea4fd95cd9178c46e4b3

SHA256
6240cd22f256c31bd6c31f5cbca98b749c0e5dc33d9ccf10fb5a5c9523accfb2

SHA512
203f1aafbc3747e045136791d8b0068b3651b75814096f6dbaa1f9c48e41658e4f65f4a0d9f03ec265250eb5a77c34e12c130ce5186b1f5dc2d1fb6c8cf50277

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\STEWART LOGO.EXE
MD5
b5a5dae6ce963243beaa8b08c8576822

SHA1
eef26c3f11a1798c479aea4fd95cd9178c46e4b3

SHA256
6240cd22f256c31bd6c31f5cbca98b749c0e5dc33d9ccf10fb5a5c9523accfb2

SHA512
203f1aafbc3747e045136791d8b0068b3651b75814096f6dbaa1f9c48e41658e4f65f4a0d9f03ec265250eb5a77c34e12c130ce5186b1f5dc2d1fb6c8cf50277

Download Submit
\Users\Admin\AppData\Local\Temp\STEWART LOGO.EXE
MD5
997167d43f6cc1f33fa886fb8de58cbf

SHA1
8fec2ca96fe6430a3f751ff230f7d0a9bf269c80

SHA256
3fb5af71f925c4e6eb8e6e88045b828d14d715231b575dc42ea8ac6fe23f4222

SHA512
ad31cec86f57659d1ca6aa858e02480fce1c51dc6cbd0d0c2607db424ad1833b7b626a6d2d36781a9083313d42efe88394cf1bc18badfb293120e76cb18df713

Download Submit
\Users\Admin\AppData\Local\Temp\STEWART LOGO.EXE
MD5
997167d43f6cc1f33fa886fb8de58cbf

SHA1
8fec2ca96fe6430a3f751ff230f7d0a9bf269c80

SHA256
3fb5af71f925c4e6eb8e6e88045b828d14d715231b575dc42ea8ac6fe23f4222

SHA512
ad31cec86f57659d1ca6aa858e02480fce1c51dc6cbd0d0c2607db424ad1833b7b626a6d2d36781a9083313d42efe88394cf1bc18badfb293120e76cb18df713

Download Submit
\Users\Admin\AppData\Local\Temp\facebook.exe
MD5
b5a5dae6ce963243beaa8b08c8576822

SHA1
eef26c3f11a1798c479aea4fd95cd9178c46e4b3

SHA256
6240cd22f256c31bd6c31f5cbca98b749c0e5dc33d9ccf10fb5a5c9523accfb2

SHA512
203f1aafbc3747e045136791d8b0068b3651b75814096f6dbaa1f9c48e41658e4f65f4a0d9f03ec265250eb5a77c34e12c130ce5186b1f5dc2d1fb6c8cf50277

Download Submit
\Users\Admin\AppData\Local\Temp\notepad.exe
MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Local\Temp\taskmgr.exe
MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/564-73-0x0000000000000000-mapping.dmp

Download
memory/568-77-0x0000000000000000-mapping.dmp

Download
memory/1204-0-0x0000000000000000-mapping.dmp

Download
memory/1224-15-0x0000000000000000-mapping.dmp

Download
memory/1304-3-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1304-4-0x0000000000403248-mapping.dmp

Download
memory/1304-6-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1364-2-0x0000000000000000-mapping.dmp

Download
memory/1376-78-0x0000000000000000-mapping.dmp

Download
memory/1548-10-0x0000000000000000-mapping.dmp

Download
memory/1608-23-0x0000000000000000-mapping.dmp

Download
memory/1660-26-0x0000000000000000-mapping.dmp

Download
memory/1892-32-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1892-33-0x000000000048F888-mapping.dmp

Download
memory/1892-35-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1944-36-0x0000000000000000-mapping.dmp

Download