remcos | c21d62b3032b34622a925a5a6ac44c52264c1e7bdaf12597874c637c50d06943

Analysis

max time kernel
149s
max time network
137s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe
Size

12.0MB
MD5

651569dc38ce166968498029ecb14ce0
SHA1

4de86e0e48d5722556f0c20da781ed2a814bf784
SHA256

c21d62b3032b34622a925a5a6ac44c52264c1e7bdaf12597874c637c50d06943
SHA512

96510f33536638ef86ba695cdbaf5a4fb6ba40266b7abb433813b4a541d8440da3933e315f20eefee22ffb952a92de5060233ea6b1f5a8eb027fa42c8be70b85
SSDEEP

196608:lR668aaELMR668aaELmR668aaELwR668aaELKR668aaEL4R668aaELeFIF0wu:lp8aatp8aaXp8aaxp8aa7p8aaZp8aap

Score

10^/10

remcos xred abillion+naira backdoor discovery execution macro persistence rat

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

remcos

Botnet

ABILLION+NAIRA

nzobaku.ddns.net:8081

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-S0L1LJ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2676	powershell.exe
2596	powershell.exe
2344	powershell.exe
2936	powershell.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x000800000001a4b5-179.dat

Executes dropped EXE 4 IoCs

pid	Process
2172	._cache_2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe
2968	Synaptics.exe
948	Synaptics.exe
2184	._cache_Synaptics.exe

Loads dropped DLL 6 IoCs

pid	Process
2100	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe
2100	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe
2100	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe
948	Synaptics.exe
948	Synaptics.exe
948	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2952 set thread context of 2100	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	36
PID 2968 set thread context of 948	2968	Synaptics.exe	45

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3040	schtasks.exe
2508	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1700	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe
2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe
2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe
2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe
2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe
2676	powershell.exe
2936	powershell.exe
2968	Synaptics.exe
2968	Synaptics.exe
2968	Synaptics.exe
2968	Synaptics.exe
2596	powershell.exe
2344	powershell.exe
2968	Synaptics.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2968	Synaptics.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2172	._cache_2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe
1700	EXCEL.EXE

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2936	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	30
PID 2952 wrote to memory of 2936	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	30
PID 2952 wrote to memory of 2936	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	30
PID 2952 wrote to memory of 2936	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	30
PID 2952 wrote to memory of 2676	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	32
PID 2952 wrote to memory of 2676	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	32
PID 2952 wrote to memory of 2676	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	32
PID 2952 wrote to memory of 2676	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	32
PID 2952 wrote to memory of 3040	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	33
PID 2952 wrote to memory of 3040	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	33
PID 2952 wrote to memory of 3040	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	33
PID 2952 wrote to memory of 3040	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	33
PID 2952 wrote to memory of 2100	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	36
PID 2952 wrote to memory of 2100	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	36
PID 2952 wrote to memory of 2100	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	36
PID 2952 wrote to memory of 2100	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	36
PID 2952 wrote to memory of 2100	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	36
PID 2952 wrote to memory of 2100	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	36
PID 2952 wrote to memory of 2100	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	36
PID 2952 wrote to memory of 2100	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	36
PID 2952 wrote to memory of 2100	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	36
PID 2952 wrote to memory of 2100	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	36
PID 2952 wrote to memory of 2100	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	36
PID 2952 wrote to memory of 2100	2952	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	36
PID 2100 wrote to memory of 2172	2100	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	37
PID 2100 wrote to memory of 2172	2100	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	37
PID 2100 wrote to memory of 2172	2100	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	37
PID 2100 wrote to memory of 2172	2100	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	37
PID 2100 wrote to memory of 2968	2100	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	38
PID 2100 wrote to memory of 2968	2100	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	38
PID 2100 wrote to memory of 2968	2100	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	38
PID 2100 wrote to memory of 2968	2100	2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe	38
PID 2968 wrote to memory of 2596	2968	Synaptics.exe	39
PID 2968 wrote to memory of 2596	2968	Synaptics.exe	39
PID 2968 wrote to memory of 2596	2968	Synaptics.exe	39
PID 2968 wrote to memory of 2596	2968	Synaptics.exe	39
PID 2968 wrote to memory of 2344	2968	Synaptics.exe	41
PID 2968 wrote to memory of 2344	2968	Synaptics.exe	41
PID 2968 wrote to memory of 2344	2968	Synaptics.exe	41
PID 2968 wrote to memory of 2344	2968	Synaptics.exe	41
PID 2968 wrote to memory of 2508	2968	Synaptics.exe	43
PID 2968 wrote to memory of 2508	2968	Synaptics.exe	43
PID 2968 wrote to memory of 2508	2968	Synaptics.exe	43
PID 2968 wrote to memory of 2508	2968	Synaptics.exe	43
PID 2968 wrote to memory of 948	2968	Synaptics.exe	45
PID 2968 wrote to memory of 948	2968	Synaptics.exe	45
PID 2968 wrote to memory of 948	2968	Synaptics.exe	45
PID 2968 wrote to memory of 948	2968	Synaptics.exe	45
PID 2968 wrote to memory of 948	2968	Synaptics.exe	45
PID 2968 wrote to memory of 948	2968	Synaptics.exe	45
PID 2968 wrote to memory of 948	2968	Synaptics.exe	45
PID 2968 wrote to memory of 948	2968	Synaptics.exe	45
PID 2968 wrote to memory of 948	2968	Synaptics.exe	45
PID 2968 wrote to memory of 948	2968	Synaptics.exe	45
PID 2968 wrote to memory of 948	2968	Synaptics.exe	45
PID 2968 wrote to memory of 948	2968	Synaptics.exe	45
PID 948 wrote to memory of 2184	948	Synaptics.exe	46
PID 948 wrote to memory of 2184	948	Synaptics.exe	46
PID 948 wrote to memory of 2184	948	Synaptics.exe	46
PID 948 wrote to memory of 2184	948	Synaptics.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BLznCuyzwk.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLznCuyzwk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp730E.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3040
- C:\Users\Admin\AppData\Local\Temp\2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Users\Admin\AppData\Local\Temp\._cache_2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2172
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2596
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BLznCuyzwk.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2344
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLznCuyzwk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC764.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2508
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:948
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        
        PID:2184

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
12.0MB

MD5
651569dc38ce166968498029ecb14ce0

SHA1
4de86e0e48d5722556f0c20da781ed2a814bf784

SHA256
c21d62b3032b34622a925a5a6ac44c52264c1e7bdaf12597874c637c50d06943

SHA512
96510f33536638ef86ba695cdbaf5a4fb6ba40266b7abb433813b4a541d8440da3933e315f20eefee22ffb952a92de5060233ea6b1f5a8eb027fa42c8be70b85

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
18d8b3dc458dd2292d93bb22ecf67505

SHA1
f53c5dfc32428672f8dbe2d27dda8ebaac191948

SHA256
693610a1c08242f4664ab93cd882dfa2782bbb077af99d508c07018ebb1e3422

SHA512
d8281db4a5c1af27be56b1b2904e25cab82c1bd3fc369c6fcdac77f47da918af75c69c12c1a04fc0739a9cf3a9dce283974effce62613a38a5f2a1c5ce342dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2024-11-22_651569dc38ce166968498029ecb14ce0_avoslocker_formbook_hijackloader_luca-stealer.exe

Filesize
483KB

MD5
f3b57ccad1c0a308635e17aa591e4038

SHA1
ca67ad3c74523b844fc23563f7b288f0389fd645

SHA256
5ad6b9a917f35be0a1d66c771069c2143ad765737eedd85436acbc0f95a4c0e7

SHA512
5ed754a1b254e8a4b03e0445ac0081c94aaf179c2974827ce4ff10b7deb765d819243b2084212d7c91be9ddc07bf94f55e35f85564781b4124b61647a2f0977a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pZGxQNlx.xlsm

Filesize
21KB

MD5
8e77cddbba5fba57e1bde13640dae559

SHA1
da052bd44b54203d77569dfb6d9e34c32f8d488c

SHA256
12b3df1db32d3a7313d20961c2a04b02e5b56ccb17eea51fad1e43b42ddfc653

SHA512
f093270f7b0bbab2bb14bb21c0358566924071ed851a5a7ccb50271e7dc2027eec9bffda533e29edd7eb69898c37c1f111f5b2923f3e447683250e51940552a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pZGxQNlx.xlsm

Filesize
25KB

MD5
163a9574424ba2c0919761b02ca59a82

SHA1
9b7cfa4617b30c06087c92a5acd4515025f2b4e8

SHA256
ca636d4de1e5a3fc5c10584c786497b62d5bee822104395ef55948f0334ab688

SHA512
44cae30c4ae7ee1b0eea99d55c787c6811ed67c2c552366f25fd38f1c3bb65e202de96d810e586f47530757d942e5023c6719727f1400adaadf054e02ed6bbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pZGxQNlx.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\pZGxQNlx.xlsm

Filesize
25KB

MD5
bbfe912452d90cafa082c0e4b86d091f

SHA1
52ac575c24c92118bbed14dcb7311cccb6b49e38

SHA256
e1c0cc7453282375bf87d9efc720c98d6ea9b91139f28d444402457a6b3aaa4d

SHA512
e24d9cbca43ae0111c881fc0508e48b2704a0a51f39f70d213fc412fb87b6569268797ebd416d41fa4b4ae53e18dd94cfabe6d7e1beec703c6832a25d4421acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\pZGxQNlx.xlsm

Filesize
27KB

MD5
4964731ad268a809f54a5b972291f67c

SHA1
69717430c142172ecc29df8c7cda38425386d34a

SHA256
580da1d1c1276d5d287aa52ca2309687861ba22406951d72a08cf13e0fa9d039

SHA512
3a26ada1995e7256b5beab873d097018559c99a344a046bac3e2859962e8991504ff048ed122d4f797aac6cc6434b3c3dc2540590c264d47b4e1e797b0d00b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp730E.tmp

Filesize
1KB

MD5
43ab85be9a97bd68c7e6185660099339

SHA1
548ddc2e63c89d977fbe856d63ad66eb856b704e

SHA256
d9c4a786b947fd24d85f497fdf5cff329eaf0e3f73d6b6f08be281777db973fd

SHA512
e1c2904c6631f6f0b0b0b59ab36d2a64e47dbf35484b23979f6810e1ff87281b6fc60170b032e1d90ea10a48c30e9d62196ef3d5123f50a9f7502f0f4a09f505

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$pZGxQNlx.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
43b3de60bfec01ecaecbf15caece3fdf

SHA1
1edfb861e9b2c406bb2f1c943cf17c9edf7d01b0

SHA256
ae57ca3eecd7be41618f9e919daba370901f6639088aa470b1f56e620943feae

SHA512
8ae21c6ad59552fbf7d5abef8724c99fcaf17458a27279def724e00d405ff98faf14e6a5523ab0b4fccc99815ea83884859b2da0478a8af80de04cf011d797b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0471b0e134374462cfb6006a82d5f0d1

SHA1
055b849bf3ecaa3bac3ea260febfc976f01e2e1d

SHA256
a879d33abe0837a555d739e75b017631917fa72a3b8a01fc2df512205f8094dd

SHA512
0df021c2bb796d37dcb8adda16cfac408afb718fa97f068b0955d5efdf14b4203275583c7fc4e0240c6071e26ebcd6046c8ae3a5a7fea0ff448e4920d0359b9d

Download Submit
memory/948-184-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/948-183-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/948-188-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/948-96-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/948-93-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/948-228-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1700-185-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1700-109-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2100-30-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2100-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2100-34-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2100-19-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2100-21-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2100-23-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2100-25-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2100-35-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2100-31-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2100-27-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2952-0-0x00000000742DE000-0x00000000742DF000-memory.dmp

Filesize
4KB

Download
memory/2952-2-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/2952-5-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/2952-38-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/2952-6-0x0000000005BB0000-0x0000000005D2E000-memory.dmp

Filesize
1.5MB

Download
memory/2952-1-0x0000000000D10000-0x0000000001910000-memory.dmp

Filesize
12.0MB

Download
memory/2952-3-0x0000000000540000-0x0000000000558000-memory.dmp

Filesize
96KB

Download
memory/2952-4-0x00000000742DE000-0x00000000742DF000-memory.dmp

Filesize
4KB

Download
memory/2968-62-0x00000000009A0000-0x00000000015A0000-memory.dmp

Filesize
12.0MB

Download