Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/12/2024, 18:49
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
Resource
win7-20240903-en
General
-
Target
2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
-
Size
9.7MB
-
MD5
5a6f38693f748bbc32b3068f72c93075
-
SHA1
8e80b4b3c3b313527a02ce59c9d8a3623986f2a9
-
SHA256
f36f8948667116064a7810b6a1971d5ebf49f225cd0c5a0d7b7def870f93e31f
-
SHA512
074dda5143fac0cbe0fa099dd4a2970ba3a6272a788b9df66387cb1caa7914843cd073df2e9274a4402f2fe5606ac164c8c71f3e35776454355bcde24a93ace5
-
SSDEEP
196608:qR668aaELjR668aaELtR668aaELbR668aaELxpFvqcA:qp8aaqp8aa0p8aaSp8aa4
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
remcos
ABILLION+NAIRA
nzobaku.ddns.net:8081
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-S0L1LJ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Xred family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2768 powershell.exe 2848 powershell.exe 3056 powershell.exe 2376 powershell.exe -
Executes dropped EXE 4 IoCs
pid Process 1560 ._cache_2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 480 Synaptics.exe 832 Synaptics.exe 572 ._cache_Synaptics.exe -
Loads dropped DLL 6 IoCs
pid Process 3048 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 3048 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 3048 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 832 Synaptics.exe 832 Synaptics.exe 832 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2980 set thread context of 3048 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 36 PID 480 set thread context of 832 480 Synaptics.exe 45 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2724 schtasks.exe 3052 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2892 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 2768 powershell.exe 2376 powershell.exe 480 Synaptics.exe 480 Synaptics.exe 480 Synaptics.exe 480 Synaptics.exe 2848 powershell.exe 3056 powershell.exe 480 Synaptics.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 480 Synaptics.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 3056 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1560 ._cache_2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 2892 EXCEL.EXE -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2376 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 30 PID 2980 wrote to memory of 2376 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 30 PID 2980 wrote to memory of 2376 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 30 PID 2980 wrote to memory of 2376 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 30 PID 2980 wrote to memory of 2768 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 32 PID 2980 wrote to memory of 2768 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 32 PID 2980 wrote to memory of 2768 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 32 PID 2980 wrote to memory of 2768 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 32 PID 2980 wrote to memory of 2724 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 34 PID 2980 wrote to memory of 2724 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 34 PID 2980 wrote to memory of 2724 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 34 PID 2980 wrote to memory of 2724 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 34 PID 2980 wrote to memory of 3048 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 36 PID 2980 wrote to memory of 3048 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 36 PID 2980 wrote to memory of 3048 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 36 PID 2980 wrote to memory of 3048 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 36 PID 2980 wrote to memory of 3048 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 36 PID 2980 wrote to memory of 3048 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 36 PID 2980 wrote to memory of 3048 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 36 PID 2980 wrote to memory of 3048 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 36 PID 2980 wrote to memory of 3048 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 36 PID 2980 wrote to memory of 3048 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 36 PID 2980 wrote to memory of 3048 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 36 PID 2980 wrote to memory of 3048 2980 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 36 PID 3048 wrote to memory of 1560 3048 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 37 PID 3048 wrote to memory of 1560 3048 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 37 PID 3048 wrote to memory of 1560 3048 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 37 PID 3048 wrote to memory of 1560 3048 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 37 PID 3048 wrote to memory of 480 3048 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 38 PID 3048 wrote to memory of 480 3048 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 38 PID 3048 wrote to memory of 480 3048 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 38 PID 3048 wrote to memory of 480 3048 2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe 38 PID 480 wrote to memory of 2848 480 Synaptics.exe 39 PID 480 wrote to memory of 2848 480 Synaptics.exe 39 PID 480 wrote to memory of 2848 480 Synaptics.exe 39 PID 480 wrote to memory of 2848 480 Synaptics.exe 39 PID 480 wrote to memory of 3056 480 Synaptics.exe 41 PID 480 wrote to memory of 3056 480 Synaptics.exe 41 PID 480 wrote to memory of 3056 480 Synaptics.exe 41 PID 480 wrote to memory of 3056 480 Synaptics.exe 41 PID 480 wrote to memory of 3052 480 Synaptics.exe 42 PID 480 wrote to memory of 3052 480 Synaptics.exe 42 PID 480 wrote to memory of 3052 480 Synaptics.exe 42 PID 480 wrote to memory of 3052 480 Synaptics.exe 42 PID 480 wrote to memory of 832 480 Synaptics.exe 45 PID 480 wrote to memory of 832 480 Synaptics.exe 45 PID 480 wrote to memory of 832 480 Synaptics.exe 45 PID 480 wrote to memory of 832 480 Synaptics.exe 45 PID 480 wrote to memory of 832 480 Synaptics.exe 45 PID 480 wrote to memory of 832 480 Synaptics.exe 45 PID 480 wrote to memory of 832 480 Synaptics.exe 45 PID 480 wrote to memory of 832 480 Synaptics.exe 45 PID 480 wrote to memory of 832 480 Synaptics.exe 45 PID 480 wrote to memory of 832 480 Synaptics.exe 45 PID 480 wrote to memory of 832 480 Synaptics.exe 45 PID 480 wrote to memory of 832 480 Synaptics.exe 45 PID 832 wrote to memory of 572 832 Synaptics.exe 46 PID 832 wrote to memory of 572 832 Synaptics.exe 46 PID 832 wrote to memory of 572 832 Synaptics.exe 46 PID 832 wrote to memory of 572 832 Synaptics.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BLznCuyzwk.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLznCuyzwk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4911.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2724
-
-
C:\Users\Admin\AppData\Local\Temp\2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe"C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1560
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BLznCuyzwk.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLznCuyzwk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9F6B.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3052
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"5⤵
- Executes dropped EXE
PID:572
-
-
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2892
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.7MB
MD55a6f38693f748bbc32b3068f72c93075
SHA18e80b4b3c3b313527a02ce59c9d8a3623986f2a9
SHA256f36f8948667116064a7810b6a1971d5ebf49f225cd0c5a0d7b7def870f93e31f
SHA512074dda5143fac0cbe0fa099dd4a2970ba3a6272a788b9df66387cb1caa7914843cd073df2e9274a4402f2fe5606ac164c8c71f3e35776454355bcde24a93ace5
-
Filesize
144B
MD5e7fc1976f2f92af49e2f33eb42861f10
SHA16805a74952adcca95697fe808c5dd14a09a4a9c6
SHA25669e2eb65dc9e1eb48188670d8b8e2bae9a35e7f13bc386a63366b9161e3be15d
SHA5129623bb26113cb64617825904f3d7940ec1ec1d8d62a25dda4cecfac96ca7d793d6700d2eeb2a9bae9fb398c10a719bc653b94365644c70706f91dd534e2e20d8
-
Filesize
1KB
MD52dedb79864039a421308db337e4a28e1
SHA18ff384d54a65f6d3998904c3d411b03a35969caa
SHA256c0ecc7356e4e277361abbe03f39a1304f806cb434f53228726afb03b1aa31e9e
SHA512afce7c3acbf100fc8154104fe39f84696188f1dc1d019e877757af901b9d0f11274801644f6ede2968676b103e7889dabfdf9f77b1d29638fc0fb2d367b18e39
-
Filesize
22KB
MD5a6ab27cf2fa42a70a8e3d55658a16df8
SHA1c62151cb14b2c3ad7b0150cc097e9e8f14b73a96
SHA2569bdee477c9cc6eeeef7ea4428a4922f2a09a7209387088a6383511b3833dd0d3
SHA512c27c473441c25180a4df5b8449f319c49c84b7a33bddae3096e254bb876b0cc1e9b4f78e1551d091546de899d17de8182a58c0621d1471db8f5a1f14c818fb98
-
Filesize
28KB
MD592ba33973e006d7aac3c94cff79414a7
SHA1158e18bed14a71c19ad9dac32d130887e0ec17b9
SHA256d91574600fea04a27eb9c0794c1c90e1499faffedd143651e8aa05c55a5be440
SHA5120264c6141993e9521ce5c57c1afe55bd19cc96cbbec60772de7156b54b4832536a481d1aa52f0e6f53755b6e3a20090e1a6a2b586395b400f722f0cf078cd697
-
Filesize
30KB
MD501578c1b987d23d5c1359ab5b0c39060
SHA15e5b14d1ff1d82a067d4ad27c943054fe5deebf2
SHA2567e509717ce3388dde1ef276647cdf0d03c54611cb2612674c282cf9bde8916f7
SHA512a58fd1f950b67fdce296ddfd22bc2568abe84f5b979fd9463e1aaf506b3ede3dc6d22df9b6b66056a66d51ec54e212be680e7f7259cc11531c5ba7f2280be028
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
26KB
MD51d5f8eb45177900f0b5c64ba3f6f8b5f
SHA1eafe74a078557e5a4a7c843af15ae69a0edfebd0
SHA25611b88ae970f76daf772e55e5c1626104216440fb0b675c74f4cd5ec41cc54091
SHA512c474ac78be7e164864e4b203271c8cbe98d48f7567f566977fbf9a78ab1bafbb79c39a1661773d9320aface4256614b8afd9690ec4edd9b194169395f014c848
-
Filesize
165B
MD5ff09371174f7c701e75f357a187c06e8
SHA157f9a638fd652922d7eb23236c80055a91724503
SHA256e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8
SHA512e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HSM2SFRNPEARO0PKOLCI.temp
Filesize7KB
MD5edd35174c772e5c6b4a849d1c891cda1
SHA1493a754281be430bab16c0734b5f13b31175e423
SHA256def1ba31df9db3cb7f824a036b9b13ac3b1b61f98cdd93d431405bda07aa71f4
SHA512640e9bff3f5458aec87ebce70c0135fdbec85a3049edd3f1893ab7b95008523f719daa754c4ca007697245c3ea6a140ba02841a0915d715963b7dd5ca63ea660
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD556683739b3e22496d8b8ab8531fb9505
SHA1c12c0baf9beb1111abc8f5feaece16684282b0f8
SHA256e922fdaa87382e6e66d994a1f2a92e5ddb411fbe98138deb1c619bf012f0654e
SHA512ceb3fe93858e5e29d82ac6826db493f370b3dba6839d28a469b00c69af4e48ab0b3d349dc0bac603e45a55d90f13e0cc4fc3e8ff28eeec490193e7bf545b8754
-
\Users\Admin\AppData\Local\Temp\._cache_2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
Filesize483KB
MD5f3b57ccad1c0a308635e17aa591e4038
SHA1ca67ad3c74523b844fc23563f7b288f0389fd645
SHA2565ad6b9a917f35be0a1d66c771069c2143ad765737eedd85436acbc0f95a4c0e7
SHA5125ed754a1b254e8a4b03e0445ac0081c94aaf179c2974827ce4ff10b7deb765d819243b2084212d7c91be9ddc07bf94f55e35f85564781b4124b61647a2f0977a