darkcomet | 9a3fbbcf01c2f50da1652108b7d26b020f73b1946b25e2d5637813a226b81c68

Analysis

max time kernel
151s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a3fbbcf01c2f50da1652108b7d26b020f73b1946b25e2d5637813a226b81c68.exe
Size

2.1MB
MD5

5392288f58739141bc319d5d9b38a677
SHA1

acc64f222ee3ab0465d4eecc0e06dcb6f9c8c00c
SHA256

9a3fbbcf01c2f50da1652108b7d26b020f73b1946b25e2d5637813a226b81c68
SHA512

a50e71b104c2ce883a2b9827edc4b0c2012277e28ca0262afbf54ab42323d72f21c71c8b4fbcaac2687f59591d013e13e7e11dc15e3e801ef658972e52a5dceb
SSDEEP

49152:0bQDgok30mycUPTVxbBvWOsnCoV3UtzDI9:0bQU/NUPTlvWOIcxDy

Score

10^/10

darkcomet facechat evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

FaceChat

jebozovan.no-ip.org:81

Mutex

DC_MUTEX-VYZAE9V

Attributes

InstallPath
Updater\svchost.exe
gencode
7gYDkFuVmVLg
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

FACEBOOK CHAT @DESKTOP.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Updater\\svchost.exe"	FACEBOOK CHAT @DESKTOP.EXE

Executes dropped EXE 3 IoCs

Processes:

FACEBOOK CHAT @DESKTOP.EXEFACEBOOKCHATDESKTOP.EXEsvchost.exe

pid process

2040 FACEBOOK CHAT @DESKTOP.EXE
1620 FACEBOOKCHATDESKTOP.EXE
972 svchost.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1372 attrib.exe
664 attrib.exe

pid	process
2040	FACEBOOK CHAT @DESKTOP.EXE
1620	FACEBOOKCHATDESKTOP.EXE
972	svchost.exe

pid	process
1372	attrib.exe
664	attrib.exe

Loads dropped DLL 9 IoCs

Processes:

9a3fbbcf01c2f50da1652108b7d26b020f73b1946b25e2d5637813a226b81c68.exeWerFault.exeFACEBOOK CHAT @DESKTOP.EXE

pid	process
1256	9a3fbbcf01c2f50da1652108b7d26b020f73b1946b25e2d5637813a226b81c68.exe
1256	9a3fbbcf01c2f50da1652108b7d26b020f73b1946b25e2d5637813a226b81c68.exe
1256	9a3fbbcf01c2f50da1652108b7d26b020f73b1946b25e2d5637813a226b81c68.exe
1568	WerFault.exe
1568	WerFault.exe
1568	WerFault.exe
1568	WerFault.exe
2040	FACEBOOK CHAT @DESKTOP.EXE
2040	FACEBOOK CHAT @DESKTOP.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

FACEBOOK CHAT @DESKTOP.EXEsvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\Updater\\svchost.exe"	FACEBOOK CHAT @DESKTOP.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\Updater\\svchost.exe"	svchost.exe

Drops file in System32 directory 3 IoCs

Processes:

FACEBOOK CHAT @DESKTOP.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Updater\svchost.exe	FACEBOOK CHAT @DESKTOP.EXE
File opened for modification	C:\Windows\SysWOW64\Updater\	FACEBOOK CHAT @DESKTOP.EXE
File created	C:\Windows\SysWOW64\Updater\svchost.exe	FACEBOOK CHAT @DESKTOP.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1568 1620 WerFault.exe FACEBOOKCHATDESKTOP.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

972 svchost.exe

pid	pid_target	process	target process
1568	1620	WerFault.exe	FACEBOOKCHATDESKTOP.EXE

pid	process
972	svchost.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

FACEBOOK CHAT @DESKTOP.EXEsvchost.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2040	FACEBOOK CHAT @DESKTOP.EXE
Token: SeSecurityPrivilege	2040	FACEBOOK CHAT @DESKTOP.EXE
Token: SeTakeOwnershipPrivilege	2040	FACEBOOK CHAT @DESKTOP.EXE
Token: SeLoadDriverPrivilege	2040	FACEBOOK CHAT @DESKTOP.EXE
Token: SeSystemProfilePrivilege	2040	FACEBOOK CHAT @DESKTOP.EXE
Token: SeSystemtimePrivilege	2040	FACEBOOK CHAT @DESKTOP.EXE
Token: SeProfSingleProcessPrivilege	2040	FACEBOOK CHAT @DESKTOP.EXE
Token: SeIncBasePriorityPrivilege	2040	FACEBOOK CHAT @DESKTOP.EXE
Token: SeCreatePagefilePrivilege	2040	FACEBOOK CHAT @DESKTOP.EXE
Token: SeBackupPrivilege	2040	FACEBOOK CHAT @DESKTOP.EXE
Token: SeRestorePrivilege	2040	FACEBOOK CHAT @DESKTOP.EXE
Token: SeShutdownPrivilege	2040	FACEBOOK CHAT @DESKTOP.EXE
Token: SeDebugPrivilege	2040	FACEBOOK CHAT @DESKTOP.EXE
Token: SeSystemEnvironmentPrivilege	2040	FACEBOOK CHAT @DESKTOP.EXE
Token: SeChangeNotifyPrivilege	2040	FACEBOOK CHAT @DESKTOP.EXE
Token: SeRemoteShutdownPrivilege	2040	FACEBOOK CHAT @DESKTOP.EXE
Token: SeUndockPrivilege	2040	FACEBOOK CHAT @DESKTOP.EXE
Token: SeManageVolumePrivilege	2040	FACEBOOK CHAT @DESKTOP.EXE
Token: SeImpersonatePrivilege	2040	FACEBOOK CHAT @DESKTOP.EXE
Token: SeCreateGlobalPrivilege	2040	FACEBOOK CHAT @DESKTOP.EXE
Token: 33	2040	FACEBOOK CHAT @DESKTOP.EXE
Token: 34	2040	FACEBOOK CHAT @DESKTOP.EXE
Token: 35	2040	FACEBOOK CHAT @DESKTOP.EXE
Token: SeIncreaseQuotaPrivilege	972	svchost.exe
Token: SeSecurityPrivilege	972	svchost.exe
Token: SeTakeOwnershipPrivilege	972	svchost.exe
Token: SeLoadDriverPrivilege	972	svchost.exe
Token: SeSystemProfilePrivilege	972	svchost.exe
Token: SeSystemtimePrivilege	972	svchost.exe
Token: SeProfSingleProcessPrivilege	972	svchost.exe
Token: SeIncBasePriorityPrivilege	972	svchost.exe
Token: SeCreatePagefilePrivilege	972	svchost.exe
Token: SeBackupPrivilege	972	svchost.exe
Token: SeRestorePrivilege	972	svchost.exe
Token: SeShutdownPrivilege	972	svchost.exe
Token: SeDebugPrivilege	972	svchost.exe
Token: SeSystemEnvironmentPrivilege	972	svchost.exe
Token: SeChangeNotifyPrivilege	972	svchost.exe
Token: SeRemoteShutdownPrivilege	972	svchost.exe
Token: SeUndockPrivilege	972	svchost.exe
Token: SeManageVolumePrivilege	972	svchost.exe
Token: SeImpersonatePrivilege	972	svchost.exe
Token: SeCreateGlobalPrivilege	972	svchost.exe
Token: 33	972	svchost.exe
Token: 34	972	svchost.exe
Token: 35	972	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

972 svchost.exe

pid	process
972	svchost.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

9a3fbbcf01c2f50da1652108b7d26b020f73b1946b25e2d5637813a226b81c68.exeFACEBOOKCHATDESKTOP.EXEFACEBOOK CHAT @DESKTOP.EXEcmd.execmd.exesvchost.exe

description	pid	process	target process
PID 1256 wrote to memory of 2040	1256	9a3fbbcf01c2f50da1652108b7d26b020f73b1946b25e2d5637813a226b81c68.exe	FACEBOOK CHAT @DESKTOP.EXE
PID 1256 wrote to memory of 2040	1256	9a3fbbcf01c2f50da1652108b7d26b020f73b1946b25e2d5637813a226b81c68.exe	FACEBOOK CHAT @DESKTOP.EXE
PID 1256 wrote to memory of 2040	1256	9a3fbbcf01c2f50da1652108b7d26b020f73b1946b25e2d5637813a226b81c68.exe	FACEBOOK CHAT @DESKTOP.EXE
PID 1256 wrote to memory of 2040	1256	9a3fbbcf01c2f50da1652108b7d26b020f73b1946b25e2d5637813a226b81c68.exe	FACEBOOK CHAT @DESKTOP.EXE
PID 1256 wrote to memory of 1620	1256	9a3fbbcf01c2f50da1652108b7d26b020f73b1946b25e2d5637813a226b81c68.exe	FACEBOOKCHATDESKTOP.EXE
PID 1256 wrote to memory of 1620	1256	9a3fbbcf01c2f50da1652108b7d26b020f73b1946b25e2d5637813a226b81c68.exe	FACEBOOKCHATDESKTOP.EXE
PID 1256 wrote to memory of 1620	1256	9a3fbbcf01c2f50da1652108b7d26b020f73b1946b25e2d5637813a226b81c68.exe	FACEBOOKCHATDESKTOP.EXE
PID 1256 wrote to memory of 1620	1256	9a3fbbcf01c2f50da1652108b7d26b020f73b1946b25e2d5637813a226b81c68.exe	FACEBOOKCHATDESKTOP.EXE
PID 1620 wrote to memory of 1568	1620	FACEBOOKCHATDESKTOP.EXE	WerFault.exe
PID 1620 wrote to memory of 1568	1620	FACEBOOKCHATDESKTOP.EXE	WerFault.exe
PID 1620 wrote to memory of 1568	1620	FACEBOOKCHATDESKTOP.EXE	WerFault.exe
PID 1620 wrote to memory of 1568	1620	FACEBOOKCHATDESKTOP.EXE	WerFault.exe
PID 2040 wrote to memory of 952	2040	FACEBOOK CHAT @DESKTOP.EXE	cmd.exe
PID 2040 wrote to memory of 952	2040	FACEBOOK CHAT @DESKTOP.EXE	cmd.exe
PID 2040 wrote to memory of 952	2040	FACEBOOK CHAT @DESKTOP.EXE	cmd.exe
PID 2040 wrote to memory of 952	2040	FACEBOOK CHAT @DESKTOP.EXE	cmd.exe
PID 2040 wrote to memory of 1932	2040	FACEBOOK CHAT @DESKTOP.EXE	cmd.exe
PID 2040 wrote to memory of 1932	2040	FACEBOOK CHAT @DESKTOP.EXE	cmd.exe
PID 2040 wrote to memory of 1932	2040	FACEBOOK CHAT @DESKTOP.EXE	cmd.exe
PID 2040 wrote to memory of 1932	2040	FACEBOOK CHAT @DESKTOP.EXE	cmd.exe
PID 1932 wrote to memory of 1372	1932	cmd.exe	attrib.exe
PID 1932 wrote to memory of 1372	1932	cmd.exe	attrib.exe
PID 1932 wrote to memory of 1372	1932	cmd.exe	attrib.exe
PID 1932 wrote to memory of 1372	1932	cmd.exe	attrib.exe
PID 952 wrote to memory of 664	952	cmd.exe	attrib.exe
PID 952 wrote to memory of 664	952	cmd.exe	attrib.exe
PID 952 wrote to memory of 664	952	cmd.exe	attrib.exe
PID 952 wrote to memory of 664	952	cmd.exe	attrib.exe
PID 2040 wrote to memory of 972	2040	FACEBOOK CHAT @DESKTOP.EXE	svchost.exe
PID 2040 wrote to memory of 972	2040	FACEBOOK CHAT @DESKTOP.EXE	svchost.exe
PID 2040 wrote to memory of 972	2040	FACEBOOK CHAT @DESKTOP.EXE	svchost.exe
PID 2040 wrote to memory of 972	2040	FACEBOOK CHAT @DESKTOP.EXE	svchost.exe
PID 972 wrote to memory of 1012	972	svchost.exe	notepad.exe
PID 972 wrote to memory of 1012	972	svchost.exe	notepad.exe
PID 972 wrote to memory of 1012	972	svchost.exe	notepad.exe
PID 972 wrote to memory of 1012	972	svchost.exe	notepad.exe
PID 972 wrote to memory of 1012	972	svchost.exe	notepad.exe
PID 972 wrote to memory of 1012	972	svchost.exe	notepad.exe
PID 972 wrote to memory of 1012	972	svchost.exe	notepad.exe
PID 972 wrote to memory of 1012	972	svchost.exe	notepad.exe
PID 972 wrote to memory of 1012	972	svchost.exe	notepad.exe
PID 972 wrote to memory of 1012	972	svchost.exe	notepad.exe
PID 972 wrote to memory of 1012	972	svchost.exe	notepad.exe
PID 972 wrote to memory of 1012	972	svchost.exe	notepad.exe
PID 972 wrote to memory of 1012	972	svchost.exe	notepad.exe
PID 972 wrote to memory of 1012	972	svchost.exe	notepad.exe
PID 972 wrote to memory of 1012	972	svchost.exe	notepad.exe
PID 972 wrote to memory of 1012	972	svchost.exe	notepad.exe
PID 972 wrote to memory of 1012	972	svchost.exe	notepad.exe
PID 972 wrote to memory of 1012	972	svchost.exe	notepad.exe
PID 972 wrote to memory of 1012	972	svchost.exe	notepad.exe
PID 972 wrote to memory of 1012	972	svchost.exe	notepad.exe
PID 972 wrote to memory of 1012	972	svchost.exe	notepad.exe
PID 972 wrote to memory of 1012	972	svchost.exe	notepad.exe
PID 972 wrote to memory of 1012	972	svchost.exe	notepad.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

664 attrib.exe
1372 attrib.exe

pid	process
664	attrib.exe
1372	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9a3fbbcf01c2f50da1652108b7d26b020f73b1946b25e2d5637813a226b81c68.exe
"C:\Users\Admin\AppData\Local\Temp\9a3fbbcf01c2f50da1652108b7d26b020f73b1946b25e2d5637813a226b81c68.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\FACEBOOK CHAT @DESKTOP.EXE
"C:\Users\Admin\AppData\Local\Temp\FACEBOOK CHAT @DESKTOP.EXE"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\FACEBOOK CHAT @DESKTOP.EXE" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\FACEBOOK CHAT @DESKTOP.EXE" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1372

C:\Windows\SysWOW64\Updater\svchost.exe
"C:\Windows\system32\Updater\svchost.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\FACEBOOKCHATDESKTOP.EXE
"C:\Users\Admin\AppData\Local\Temp\FACEBOOKCHATDESKTOP.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 148
3⤵
- Loads dropped DLL
- Program crash
PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FACEBOOK CHAT @DESKTOP.EXE
Filesize
658KB

MD5
c1f9cae3ba55deb1c0154eedc12aa8e8

SHA1
b53b0ce88c9f93bce003364792318da9463af2b7

SHA256
628d872cead2637157a26d5d7d976db5a4b407d8594abd825e71da6679466f18

SHA512
50310ec5674b88a1b18585cd107b4c25a8733e238d449547d1bdb0a87e412777333f1b8da343dc9f836fa29fe9e0065841b2500bb9d36e0f5a004bb7cc716464

Download Submit
C:\Users\Admin\AppData\Local\Temp\FACEBOOK CHAT @DESKTOP.EXE
Filesize
658KB

MD5
c1f9cae3ba55deb1c0154eedc12aa8e8

SHA1
b53b0ce88c9f93bce003364792318da9463af2b7

SHA256
628d872cead2637157a26d5d7d976db5a4b407d8594abd825e71da6679466f18

SHA512
50310ec5674b88a1b18585cd107b4c25a8733e238d449547d1bdb0a87e412777333f1b8da343dc9f836fa29fe9e0065841b2500bb9d36e0f5a004bb7cc716464

Download Submit
C:\Users\Admin\AppData\Local\Temp\FACEBOOKCHATDESKTOP.EXE
Filesize
1.3MB

MD5
daebd0ad2572c700bbd224c0d6c0956e

SHA1
27d6a99830178867a79c3f3eafea6ec897aac3da

SHA256
4caba5ef8a1d039d09da5e20aafc12b8a2d44563f4302946b9e510d76a1fd0c1

SHA512
d0c347e29cfeec1a6bcd9839b321322983dc0c53ce52eeb85332296f587a2600beb1ead2de3d81834e5ad72aca9abfda3b3ef58d01c94899ff9a31bec09fdb97

Download Submit
C:\Windows\SysWOW64\Updater\svchost.exe
Filesize
658KB

MD5
c1f9cae3ba55deb1c0154eedc12aa8e8

SHA1
b53b0ce88c9f93bce003364792318da9463af2b7

SHA256
628d872cead2637157a26d5d7d976db5a4b407d8594abd825e71da6679466f18

SHA512
50310ec5674b88a1b18585cd107b4c25a8733e238d449547d1bdb0a87e412777333f1b8da343dc9f836fa29fe9e0065841b2500bb9d36e0f5a004bb7cc716464

Download Submit
C:\Windows\SysWOW64\Updater\svchost.exe
Filesize
658KB

MD5
c1f9cae3ba55deb1c0154eedc12aa8e8

SHA1
b53b0ce88c9f93bce003364792318da9463af2b7

SHA256
628d872cead2637157a26d5d7d976db5a4b407d8594abd825e71da6679466f18

SHA512
50310ec5674b88a1b18585cd107b4c25a8733e238d449547d1bdb0a87e412777333f1b8da343dc9f836fa29fe9e0065841b2500bb9d36e0f5a004bb7cc716464

Download Submit
\Users\Admin\AppData\Local\Temp\FACEBOOK CHAT @DESKTOP.EXE
Filesize
658KB

MD5
c1f9cae3ba55deb1c0154eedc12aa8e8

SHA1
b53b0ce88c9f93bce003364792318da9463af2b7

SHA256
628d872cead2637157a26d5d7d976db5a4b407d8594abd825e71da6679466f18

SHA512
50310ec5674b88a1b18585cd107b4c25a8733e238d449547d1bdb0a87e412777333f1b8da343dc9f836fa29fe9e0065841b2500bb9d36e0f5a004bb7cc716464

Download Submit
\Users\Admin\AppData\Local\Temp\FACEBOOK CHAT @DESKTOP.EXE
Filesize
658KB

MD5
c1f9cae3ba55deb1c0154eedc12aa8e8

SHA1
b53b0ce88c9f93bce003364792318da9463af2b7

SHA256
628d872cead2637157a26d5d7d976db5a4b407d8594abd825e71da6679466f18

SHA512
50310ec5674b88a1b18585cd107b4c25a8733e238d449547d1bdb0a87e412777333f1b8da343dc9f836fa29fe9e0065841b2500bb9d36e0f5a004bb7cc716464

Download Submit
\Users\Admin\AppData\Local\Temp\FACEBOOKCHATDESKTOP.EXE
Filesize
1.3MB

MD5
daebd0ad2572c700bbd224c0d6c0956e

SHA1
27d6a99830178867a79c3f3eafea6ec897aac3da

SHA256
4caba5ef8a1d039d09da5e20aafc12b8a2d44563f4302946b9e510d76a1fd0c1

SHA512
d0c347e29cfeec1a6bcd9839b321322983dc0c53ce52eeb85332296f587a2600beb1ead2de3d81834e5ad72aca9abfda3b3ef58d01c94899ff9a31bec09fdb97

Download Submit
\Users\Admin\AppData\Local\Temp\FACEBOOKCHATDESKTOP.EXE
Filesize
1.3MB

MD5
daebd0ad2572c700bbd224c0d6c0956e

SHA1
27d6a99830178867a79c3f3eafea6ec897aac3da

SHA256
4caba5ef8a1d039d09da5e20aafc12b8a2d44563f4302946b9e510d76a1fd0c1

SHA512
d0c347e29cfeec1a6bcd9839b321322983dc0c53ce52eeb85332296f587a2600beb1ead2de3d81834e5ad72aca9abfda3b3ef58d01c94899ff9a31bec09fdb97

Download Submit
\Users\Admin\AppData\Local\Temp\FACEBOOKCHATDESKTOP.EXE
Filesize
1.3MB

MD5
daebd0ad2572c700bbd224c0d6c0956e

SHA1
27d6a99830178867a79c3f3eafea6ec897aac3da

SHA256
4caba5ef8a1d039d09da5e20aafc12b8a2d44563f4302946b9e510d76a1fd0c1

SHA512
d0c347e29cfeec1a6bcd9839b321322983dc0c53ce52eeb85332296f587a2600beb1ead2de3d81834e5ad72aca9abfda3b3ef58d01c94899ff9a31bec09fdb97

Download Submit
\Users\Admin\AppData\Local\Temp\FACEBOOKCHATDESKTOP.EXE
Filesize
1.3MB

MD5
daebd0ad2572c700bbd224c0d6c0956e

SHA1
27d6a99830178867a79c3f3eafea6ec897aac3da

SHA256
4caba5ef8a1d039d09da5e20aafc12b8a2d44563f4302946b9e510d76a1fd0c1

SHA512
d0c347e29cfeec1a6bcd9839b321322983dc0c53ce52eeb85332296f587a2600beb1ead2de3d81834e5ad72aca9abfda3b3ef58d01c94899ff9a31bec09fdb97

Download Submit
\Users\Admin\AppData\Local\Temp\FACEBOOKCHATDESKTOP.EXE
Filesize
1.3MB

MD5
daebd0ad2572c700bbd224c0d6c0956e

SHA1
27d6a99830178867a79c3f3eafea6ec897aac3da

SHA256
4caba5ef8a1d039d09da5e20aafc12b8a2d44563f4302946b9e510d76a1fd0c1

SHA512
d0c347e29cfeec1a6bcd9839b321322983dc0c53ce52eeb85332296f587a2600beb1ead2de3d81834e5ad72aca9abfda3b3ef58d01c94899ff9a31bec09fdb97

Download Submit
\Windows\SysWOW64\Updater\svchost.exe
Filesize
658KB

MD5
c1f9cae3ba55deb1c0154eedc12aa8e8

SHA1
b53b0ce88c9f93bce003364792318da9463af2b7

SHA256
628d872cead2637157a26d5d7d976db5a4b407d8594abd825e71da6679466f18

SHA512
50310ec5674b88a1b18585cd107b4c25a8733e238d449547d1bdb0a87e412777333f1b8da343dc9f836fa29fe9e0065841b2500bb9d36e0f5a004bb7cc716464

Download Submit
\Windows\SysWOW64\Updater\svchost.exe
Filesize
658KB

MD5
c1f9cae3ba55deb1c0154eedc12aa8e8

SHA1
b53b0ce88c9f93bce003364792318da9463af2b7

SHA256
628d872cead2637157a26d5d7d976db5a4b407d8594abd825e71da6679466f18

SHA512
50310ec5674b88a1b18585cd107b4c25a8733e238d449547d1bdb0a87e412777333f1b8da343dc9f836fa29fe9e0065841b2500bb9d36e0f5a004bb7cc716464

Download Submit
memory/664-72-0x0000000000000000-mapping.dmp

Download
memory/952-69-0x0000000000000000-mapping.dmp

Download
memory/972-76-0x0000000000000000-mapping.dmp

Download
memory/1012-80-0x0000000000000000-mapping.dmp

Download
memory/1256-54-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1372-71-0x0000000000000000-mapping.dmp

Download
memory/1568-64-0x0000000000000000-mapping.dmp

Download
memory/1620-60-0x0000000000000000-mapping.dmp

Download
memory/1932-70-0x0000000000000000-mapping.dmp

Download
memory/2040-57-0x0000000000000000-mapping.dmp

Download