remcos | f36f8948667116064a7810b6a1971d5ebf49f225cd0c5a0d7b7def870f93e31f

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/12/2024, 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
Size

9.7MB
MD5

5a6f38693f748bbc32b3068f72c93075
SHA1

8e80b4b3c3b313527a02ce59c9d8a3623986f2a9
SHA256

f36f8948667116064a7810b6a1971d5ebf49f225cd0c5a0d7b7def870f93e31f
SHA512

074dda5143fac0cbe0fa099dd4a2970ba3a6272a788b9df66387cb1caa7914843cd073df2e9274a4402f2fe5606ac164c8c71f3e35776454355bcde24a93ace5
SSDEEP

196608:qR668aaELjR668aaELtR668aaELbR668aaELxpFvqcA:qp8aaqp8aa0p8aaSp8aa4

Score

10^/10

remcos xred abillion+naira backdoor discovery execution persistence rat

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

remcos

Botnet

ABILLION+NAIRA

nzobaku.ddns.net:8081

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-S0L1LJ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2768	powershell.exe
2848	powershell.exe
3056	powershell.exe
2376	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
1560	._cache_2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
480	Synaptics.exe
832	Synaptics.exe
572	._cache_Synaptics.exe

Loads dropped DLL 6 IoCs

pid	Process
3048	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
3048	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
3048	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
832	Synaptics.exe
832	Synaptics.exe
832	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2980 set thread context of 3048	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	36
PID 480 set thread context of 832	480	Synaptics.exe	45

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2724	schtasks.exe
3052	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2892	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
2768	powershell.exe
2376	powershell.exe
480	Synaptics.exe
480	Synaptics.exe
480	Synaptics.exe
480	Synaptics.exe
2848	powershell.exe
3056	powershell.exe
480	Synaptics.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	480	Synaptics.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1560	._cache_2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
2892	EXCEL.EXE

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2376	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	30
PID 2980 wrote to memory of 2376	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	30
PID 2980 wrote to memory of 2376	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	30
PID 2980 wrote to memory of 2376	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	30
PID 2980 wrote to memory of 2768	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	32
PID 2980 wrote to memory of 2768	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	32
PID 2980 wrote to memory of 2768	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	32
PID 2980 wrote to memory of 2768	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	32
PID 2980 wrote to memory of 2724	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	34
PID 2980 wrote to memory of 2724	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	34
PID 2980 wrote to memory of 2724	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	34
PID 2980 wrote to memory of 2724	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	34
PID 2980 wrote to memory of 3048	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	36
PID 2980 wrote to memory of 3048	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	36
PID 2980 wrote to memory of 3048	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	36
PID 2980 wrote to memory of 3048	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	36
PID 2980 wrote to memory of 3048	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	36
PID 2980 wrote to memory of 3048	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	36
PID 2980 wrote to memory of 3048	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	36
PID 2980 wrote to memory of 3048	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	36
PID 2980 wrote to memory of 3048	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	36
PID 2980 wrote to memory of 3048	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	36
PID 2980 wrote to memory of 3048	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	36
PID 2980 wrote to memory of 3048	2980	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	36
PID 3048 wrote to memory of 1560	3048	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	37
PID 3048 wrote to memory of 1560	3048	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	37
PID 3048 wrote to memory of 1560	3048	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	37
PID 3048 wrote to memory of 1560	3048	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	37
PID 3048 wrote to memory of 480	3048	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	38
PID 3048 wrote to memory of 480	3048	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	38
PID 3048 wrote to memory of 480	3048	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	38
PID 3048 wrote to memory of 480	3048	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	38
PID 480 wrote to memory of 2848	480	Synaptics.exe	39
PID 480 wrote to memory of 2848	480	Synaptics.exe	39
PID 480 wrote to memory of 2848	480	Synaptics.exe	39
PID 480 wrote to memory of 2848	480	Synaptics.exe	39
PID 480 wrote to memory of 3056	480	Synaptics.exe	41
PID 480 wrote to memory of 3056	480	Synaptics.exe	41
PID 480 wrote to memory of 3056	480	Synaptics.exe	41
PID 480 wrote to memory of 3056	480	Synaptics.exe	41
PID 480 wrote to memory of 3052	480	Synaptics.exe	42
PID 480 wrote to memory of 3052	480	Synaptics.exe	42
PID 480 wrote to memory of 3052	480	Synaptics.exe	42
PID 480 wrote to memory of 3052	480	Synaptics.exe	42
PID 480 wrote to memory of 832	480	Synaptics.exe	45
PID 480 wrote to memory of 832	480	Synaptics.exe	45
PID 480 wrote to memory of 832	480	Synaptics.exe	45
PID 480 wrote to memory of 832	480	Synaptics.exe	45
PID 480 wrote to memory of 832	480	Synaptics.exe	45
PID 480 wrote to memory of 832	480	Synaptics.exe	45
PID 480 wrote to memory of 832	480	Synaptics.exe	45
PID 480 wrote to memory of 832	480	Synaptics.exe	45
PID 480 wrote to memory of 832	480	Synaptics.exe	45
PID 480 wrote to memory of 832	480	Synaptics.exe	45
PID 480 wrote to memory of 832	480	Synaptics.exe	45
PID 480 wrote to memory of 832	480	Synaptics.exe	45
PID 832 wrote to memory of 572	832	Synaptics.exe	46
PID 832 wrote to memory of 572	832	Synaptics.exe	46
PID 832 wrote to memory of 572	832	Synaptics.exe	46
PID 832 wrote to memory of 572	832	Synaptics.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BLznCuyzwk.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLznCuyzwk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4911.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1560
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:480
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2848
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BLznCuyzwk.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3056
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLznCuyzwk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9F6B.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3052
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:832
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        
        PID:572

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
9.7MB

MD5
5a6f38693f748bbc32b3068f72c93075

SHA1
8e80b4b3c3b313527a02ce59c9d8a3623986f2a9

SHA256
f36f8948667116064a7810b6a1971d5ebf49f225cd0c5a0d7b7def870f93e31f

SHA512
074dda5143fac0cbe0fa099dd4a2970ba3a6272a788b9df66387cb1caa7914843cd073df2e9274a4402f2fe5606ac164c8c71f3e35776454355bcde24a93ace5

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
e7fc1976f2f92af49e2f33eb42861f10

SHA1
6805a74952adcca95697fe808c5dd14a09a4a9c6

SHA256
69e2eb65dc9e1eb48188670d8b8e2bae9a35e7f13bc386a63366b9161e3be15d

SHA512
9623bb26113cb64617825904f3d7940ec1ec1d8d62a25dda4cecfac96ca7d793d6700d2eeb2a9bae9fb398c10a719bc653b94365644c70706f91dd534e2e20d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4911.tmp

Filesize
1KB

MD5
2dedb79864039a421308db337e4a28e1

SHA1
8ff384d54a65f6d3998904c3d411b03a35969caa

SHA256
c0ecc7356e4e277361abbe03f39a1304f806cb434f53228726afb03b1aa31e9e

SHA512
afce7c3acbf100fc8154104fe39f84696188f1dc1d019e877757af901b9d0f11274801644f6ede2968676b103e7889dabfdf9f77b1d29638fc0fb2d367b18e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\y7SeuHWl.xlsm

Filesize
22KB

MD5
a6ab27cf2fa42a70a8e3d55658a16df8

SHA1
c62151cb14b2c3ad7b0150cc097e9e8f14b73a96

SHA256
9bdee477c9cc6eeeef7ea4428a4922f2a09a7209387088a6383511b3833dd0d3

SHA512
c27c473441c25180a4df5b8449f319c49c84b7a33bddae3096e254bb876b0cc1e9b4f78e1551d091546de899d17de8182a58c0621d1471db8f5a1f14c818fb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\y7SeuHWl.xlsm

Filesize
28KB

MD5
92ba33973e006d7aac3c94cff79414a7

SHA1
158e18bed14a71c19ad9dac32d130887e0ec17b9

SHA256
d91574600fea04a27eb9c0794c1c90e1499faffedd143651e8aa05c55a5be440

SHA512
0264c6141993e9521ce5c57c1afe55bd19cc96cbbec60772de7156b54b4832536a481d1aa52f0e6f53755b6e3a20090e1a6a2b586395b400f722f0cf078cd697

Download Submit
C:\Users\Admin\AppData\Local\Temp\y7SeuHWl.xlsm

Filesize
30KB

MD5
01578c1b987d23d5c1359ab5b0c39060

SHA1
5e5b14d1ff1d82a067d4ad27c943054fe5deebf2

SHA256
7e509717ce3388dde1ef276647cdf0d03c54611cb2612674c282cf9bde8916f7

SHA512
a58fd1f950b67fdce296ddfd22bc2568abe84f5b979fd9463e1aaf506b3ede3dc6d22df9b6b66056a66d51ec54e212be680e7f7259cc11531c5ba7f2280be028

Download Submit
C:\Users\Admin\AppData\Local\Temp\y7SeuHWl.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\y7SeuHWl.xlsm

Filesize
26KB

MD5
1d5f8eb45177900f0b5c64ba3f6f8b5f

SHA1
eafe74a078557e5a4a7c843af15ae69a0edfebd0

SHA256
11b88ae970f76daf772e55e5c1626104216440fb0b675c74f4cd5ec41cc54091

SHA512
c474ac78be7e164864e4b203271c8cbe98d48f7567f566977fbf9a78ab1bafbb79c39a1661773d9320aface4256614b8afd9690ec4edd9b194169395f014c848

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$y7SeuHWl.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HSM2SFRNPEARO0PKOLCI.temp

Filesize
7KB

MD5
edd35174c772e5c6b4a849d1c891cda1

SHA1
493a754281be430bab16c0734b5f13b31175e423

SHA256
def1ba31df9db3cb7f824a036b9b13ac3b1b61f98cdd93d431405bda07aa71f4

SHA512
640e9bff3f5458aec87ebce70c0135fdbec85a3049edd3f1893ab7b95008523f719daa754c4ca007697245c3ea6a140ba02841a0915d715963b7dd5ca63ea660

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
56683739b3e22496d8b8ab8531fb9505

SHA1
c12c0baf9beb1111abc8f5feaece16684282b0f8

SHA256
e922fdaa87382e6e66d994a1f2a92e5ddb411fbe98138deb1c619bf012f0654e

SHA512
ceb3fe93858e5e29d82ac6826db493f370b3dba6839d28a469b00c69af4e48ab0b3d349dc0bac603e45a55d90f13e0cc4fc3e8ff28eeec490193e7bf545b8754

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe

Filesize
483KB

MD5
f3b57ccad1c0a308635e17aa591e4038

SHA1
ca67ad3c74523b844fc23563f7b288f0389fd645

SHA256
5ad6b9a917f35be0a1d66c771069c2143ad765737eedd85436acbc0f95a4c0e7

SHA512
5ed754a1b254e8a4b03e0445ac0081c94aaf179c2974827ce4ff10b7deb765d819243b2084212d7c91be9ddc07bf94f55e35f85564781b4124b61647a2f0977a

Download Submit
memory/480-62-0x0000000000850000-0x00000000011FE000-memory.dmp

Filesize
9.7MB

Download
memory/832-186-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/832-93-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/832-96-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/832-185-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/832-190-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/832-231-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2892-128-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2892-133-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2892-187-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2892-124-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2892-125-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2892-126-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2892-127-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2892-109-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2892-129-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2892-118-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2892-115-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2892-112-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2892-123-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2892-122-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2892-121-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2892-120-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2892-119-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2892-117-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2892-116-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2892-114-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2892-113-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2892-130-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2892-135-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2892-134-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2892-132-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2892-131-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2980-5-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/2980-6-0x00000000059C0000-0x0000000005B3E000-memory.dmp

Filesize
1.5MB

Download
memory/2980-0-0x0000000073F1E000-0x0000000073F1F000-memory.dmp

Filesize
4KB

Download
memory/2980-1-0x0000000001330000-0x0000000001CDE000-memory.dmp

Filesize
9.7MB

Download
memory/2980-36-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/2980-2-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/2980-3-0x0000000000530000-0x0000000000548000-memory.dmp

Filesize
96KB

Download
memory/2980-4-0x0000000073F1E000-0x0000000073F1F000-memory.dmp

Filesize
4KB

Download
memory/3048-19-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3048-34-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3048-23-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3048-35-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3048-21-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3048-25-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3048-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3048-27-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3048-29-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3048-31-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download