Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
01/02/2025, 13:22
Static task
static1
Behavioral task
behavioral1
Sample
2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe
Resource
win7-20240903-en
General
-
Target
2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe
-
Size
9.3MB
-
MD5
48f47dfef969ad187f63e6a2e7d8d4be
-
SHA1
89941f5a93da8c7e679800714c794f21e8aa397a
-
SHA256
64d8228ab44e493d6574e34b4642c97ee4127e4d0c422dc6e5b1bc8b0dcf6fb1
-
SHA512
4d0fbc54b983c89977578ad28e4633b019087b371a6bd124990b44382b5ce5633c2542ecde841739153d1a3f87b47fb63877857c940558446aef4fdfcc1eba15
-
SSDEEP
196608:DzzoF/uD9jckrCFsu3iqo/U0/YIBjWrqufezvnU72:DHOeCz0/YojW2uGz/U72
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe -
Sality family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe -
Windows security bypass 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe -
Executes dropped EXE 3 IoCs
pid Process 2236 lite_installer.exe 4400 seederexe.exe 12600 sender.exe -
Loads dropped DLL 10 IoCs
pid Process 1236 MsiExec.exe 1236 MsiExec.exe 1236 MsiExec.exe 1236 MsiExec.exe 1236 MsiExec.exe 1236 MsiExec.exe 1236 MsiExec.exe 1236 MsiExec.exe 1236 MsiExec.exe 1236 MsiExec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 20 1892 msiexec.exe 23 1892 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe File opened (read-only) \??\X: 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe File opened (read-only) \??\Y: 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe File opened (read-only) \??\H: 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe File opened (read-only) \??\J: 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe File opened (read-only) \??\R: 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe File opened (read-only) \??\U: 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe File opened (read-only) \??\M: 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe File opened (read-only) \??\O: 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe File opened (read-only) \??\K: 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe File opened (read-only) \??\N: 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe File opened (read-only) \??\V: 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe File opened (read-only) \??\W: 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe File opened (read-only) \??\Q: 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe File opened (read-only) \??\S: 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe File opened (read-only) \??\P: 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe File opened (read-only) \??\Z: 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe -
resource yara_rule behavioral2/memory/3668-7-0x0000000002C60000-0x0000000003CEE000-memory.dmp upx behavioral2/memory/3668-10-0x0000000002C60000-0x0000000003CEE000-memory.dmp upx behavioral2/memory/3668-3-0x0000000002C60000-0x0000000003CEE000-memory.dmp upx behavioral2/memory/3668-12-0x0000000002C60000-0x0000000003CEE000-memory.dmp upx behavioral2/memory/3668-11-0x0000000002C60000-0x0000000003CEE000-memory.dmp upx behavioral2/memory/3668-9-0x0000000002C60000-0x0000000003CEE000-memory.dmp upx behavioral2/memory/3668-26-0x0000000002C60000-0x0000000003CEE000-memory.dmp upx behavioral2/memory/3668-28-0x0000000002C60000-0x0000000003CEE000-memory.dmp upx behavioral2/memory/3668-27-0x0000000002C60000-0x0000000003CEE000-memory.dmp upx behavioral2/memory/3668-31-0x0000000002C60000-0x0000000003CEE000-memory.dmp upx behavioral2/memory/3668-32-0x0000000002C60000-0x0000000003CEE000-memory.dmp upx behavioral2/memory/3668-50-0x0000000002C60000-0x0000000003CEE000-memory.dmp upx behavioral2/memory/3668-72-0x0000000002C60000-0x0000000003CEE000-memory.dmp upx behavioral2/memory/3668-73-0x0000000002C60000-0x0000000003CEE000-memory.dmp upx behavioral2/memory/3668-151-0x0000000002C60000-0x0000000003CEE000-memory.dmp upx behavioral2/memory/3668-188-0x0000000002C60000-0x0000000003CEE000-memory.dmp upx behavioral2/memory/3668-750-0x0000000002C60000-0x0000000003CEE000-memory.dmp upx -
Drops file in Windows directory 18 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIE78A.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57d6d8.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE138.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE311.tmp msiexec.exe File opened for modification C:\Windows\SYSTEM.INI 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIE351.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE518.tmp msiexec.exe File created C:\Windows\Installer\e57d6d8.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIE224.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE321.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE3CF.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{5B964E0E-B9A3-4276-9ED9-4D5A5720747A} msiexec.exe File opened for modification C:\Windows\Installer\MSIE7DA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE1A6.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIE283.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lite_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language seederexe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sender.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Software\Microsoft\Internet Explorer\SearchScopes seederexe.exe Key created \REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Software\Microsoft\Internet Explorer\Main seederexe.exe -
Modifies system certificate store 2 TTPs 6 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 1892 msiexec.exe 1892 msiexec.exe 2236 lite_installer.exe 2236 lite_installer.exe 4400 seederexe.exe 4400 seederexe.exe 12600 sender.exe 12600 sender.exe 2236 lite_installer.exe 2236 lite_installer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe Token: SeDebugPrivilege 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 3668 wrote to memory of 784 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 8 PID 3668 wrote to memory of 792 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 9 PID 3668 wrote to memory of 380 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 13 PID 3668 wrote to memory of 2532 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 42 PID 3668 wrote to memory of 2544 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 43 PID 3668 wrote to memory of 2652 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 46 PID 3668 wrote to memory of 3620 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 56 PID 3668 wrote to memory of 3744 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 57 PID 3668 wrote to memory of 3920 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 58 PID 3668 wrote to memory of 4012 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 59 PID 3668 wrote to memory of 4084 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 60 PID 3668 wrote to memory of 780 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 61 PID 3668 wrote to memory of 4244 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 62 PID 3668 wrote to memory of 4512 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 64 PID 3668 wrote to memory of 3096 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 76 PID 3668 wrote to memory of 1716 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 80 PID 3668 wrote to memory of 2300 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 81 PID 3668 wrote to memory of 784 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 8 PID 3668 wrote to memory of 792 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 9 PID 3668 wrote to memory of 380 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 13 PID 3668 wrote to memory of 2532 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 42 PID 3668 wrote to memory of 2544 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 43 PID 3668 wrote to memory of 2652 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 46 PID 3668 wrote to memory of 3620 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 56 PID 3668 wrote to memory of 3744 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 57 PID 3668 wrote to memory of 3920 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 58 PID 3668 wrote to memory of 4012 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 59 PID 3668 wrote to memory of 4084 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 60 PID 3668 wrote to memory of 780 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 61 PID 3668 wrote to memory of 4244 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 62 PID 3668 wrote to memory of 4512 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 64 PID 3668 wrote to memory of 3096 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 76 PID 3668 wrote to memory of 1716 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 80 PID 3668 wrote to memory of 2300 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 81 PID 3668 wrote to memory of 4132 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 84 PID 3668 wrote to memory of 2224 3668 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe 85 PID 1892 wrote to memory of 1236 1892 msiexec.exe 88 PID 1892 wrote to memory of 1236 1892 msiexec.exe 88 PID 1892 wrote to memory of 1236 1892 msiexec.exe 88 PID 1236 wrote to memory of 2236 1236 MsiExec.exe 89 PID 1236 wrote to memory of 2236 1236 MsiExec.exe 89 PID 1236 wrote to memory of 2236 1236 MsiExec.exe 89 PID 1236 wrote to memory of 4400 1236 MsiExec.exe 91 PID 1236 wrote to memory of 4400 1236 MsiExec.exe 91 PID 1236 wrote to memory of 4400 1236 MsiExec.exe 91 PID 4400 wrote to memory of 12600 4400 seederexe.exe 92 PID 4400 wrote to memory of 12600 4400 seederexe.exe 92 PID 4400 wrote to memory of 12600 4400 seederexe.exe 92 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2544
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2652
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3620
-
C:\Users\Admin\AppData\Local\Temp\2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2025-02-01_48f47dfef969ad187f63e6a2e7d8d4be_hawkeye_luca-stealer_magniber.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3668
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3744
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3920
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4012
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4084
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:780
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4244
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4512
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3096
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1716
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2300
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4132
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2224
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A549385B7096605ABC8E355B5B7D7DC02⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\E24C390E-4EB3-4746-B485-08F5387FB594\lite_installer.exe"C:\Users\Admin\AppData\Local\Temp\E24C390E-4EB3-4746-B485-08F5387FB594\lite_installer.exe" --use-user-default-locale --silent --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2236
-
-
C:\Users\Admin\AppData\Local\Temp\0B2AFE7B-AF59-4A26-8E1F-DC449B890426\seederexe.exe"C:\Users\Admin\AppData\Local\Temp\0B2AFE7B-AF59-4A26-8E1F-DC449B890426\seederexe.exe" "--yqs=" "--yhp=" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=" "--browser_default=" "--yabm=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\78AB7462-6AC4-47E6-86C0-462EBA913127\sender.exe" "--is_elevated=yes" "--ui_level=5" "--good_token=x"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\78AB7462-6AC4-47E6-86C0-462EBA913127\sender.exeC:\Users\Admin\AppData\Local\Temp\78AB7462-6AC4-47E6-86C0-462EBA913127\sender.exe --send "/status.xml?clid=2356518&uuid=224c6c6f-45d2-4c47-a63b-fc5318262e85&vnt=Windows 10x64&file-no=8%0A15%0A25%0A38%0A45%0A57%0A59%0A102%0A106%0A108%0A111%0A125%0A129%0A"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:12600
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
575B
MD5340ea5bdda9f585c48f27a1fd1c466ff
SHA1941cdf45dca1fc35b9cb7dce85473a6512e6d6f9
SHA25650b9e0db217054760525d8b269b1247dfecce1e2c2fef3289862f7026ad5c613
SHA5122ce6063ba6569f5a5839fe8456e7c726d7b31bc01222b68846954dba9cc928a6b2179b4dded3027f7ebf6b5e2832e50e0deecfd3197e12c5a1b380a2b2f8a87a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_A026C9CD7BA14377D055F4A2325D4501
Filesize1KB
MD5cf2a5a3809235ebba751384bd6db2ccd
SHA1bc980d4d2383d8449bbd926a4d4e6fe8d8479fe9
SHA25684d32b90192f8a3f3abb091af2ce224d0f1fe8979a6c4a932ceff41394d93694
SHA5122af40084aa1aae46360f4dbc90d629d8357c16e20da5c0551b8c724d5790a9eadccc917c39a1541c15ef6c915edd59943e7bfde3910afaaf01c44fd29a06d611
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\769F85394FB15C375FF89A7488274D5B_22252D7CC6CD0EA80FCE3FF30A53AFB2
Filesize5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
Filesize
8KB
MD5ef742b46ba1e5b67c2c1bc9c60de08a0
SHA1259f87376b46365c3488ed1d29b7856e650598a1
SHA2560f2cd52a46c8d23d17680c5cf6d088c4d9d3b9650177a6acef042447109b49a9
SHA512b053c8076d75de5e7a37fab4c33167eaec9278c37cce6ee2536f818a18ca341c90fa8ea88590a05b112b1dda2f5d81874c1a7c65e52c9c563e743f2b4834988f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_4BB72A60CF9C652B353353202101C0E4
Filesize1KB
MD5fb33c5086f0d513dccb584fe75b5d7d8
SHA122fb90c11183efd7edd774857c7ddac3689f900f
SHA2567e39586a5520707d38d2b51732c1020e348ab05591bf2d13f6892f6b506b0b83
SHA512eb971e8cc7e98e384afbc72db490ccc7e372c77024af8eb57e46129161c20a3c38d80f1c0300ac1db1e6d813b9fdac33bbc94dfad6ee15c6be841789eef83cd8
-
Filesize
1KB
MD52ffbdb98df2a2b022a48adeb94a3af50
SHA16c86923b5c5832bb102f041cb7d38db397074f12
SHA256dd12c5733bc4b682e1da6353c8c27650f53d11a8ada8fd8a2d06f23cecae5ebd
SHA512a5f29661ac78ea205dd945fcc53e015152277426af4bcce688231ca1a564dc49144b2953409651737733fec72e9042468c780917543c007d7de74ed44058dbfb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_A026C9CD7BA14377D055F4A2325D4501
Filesize508B
MD59913d4f0b43d404729d3579504900711
SHA179597b14ea367fa2620e70a1da0e7dab838da64a
SHA25684d4e64a4399d8a071eaa47fcf7f6d9444eff1276f28a6d54b5e28a5a141bfaf
SHA512eabb16a95cef3635ee8281dda6a6c3240c319e5a5b7a52188ae8dabfa615d8c0169ff525b6b3556784b68af012c41fef11a3eab47be35c73f9b02e9d63c61437
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\769F85394FB15C375FF89A7488274D5B_22252D7CC6CD0EA80FCE3FF30A53AFB2
Filesize436B
MD5d63bcab26b453d6027f5c3b32e723fdd
SHA145736b1d2c8bf6a8996275a57f952292478267c4
SHA256c84d6d92685ee2b50640a1febdc7d7844f2c9f376bdd28208ccf0045c2484cb5
SHA512ac65ec60099f830c7c745bdb83112d03b6501dd0efd51126f79399048e7040ff2632b9f7fbd2004299427680306b94bc8be253ef86ea98fe7444e58cf2eaecd2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8E55FEB142F566DFBD0ED964FAB94545
Filesize210B
MD5aa3a70ee0b620e16e902b81089f44b32
SHA1ff8fa3261408d2638170ce0f29a0ea50f888f178
SHA25656a6d8042e334f496c8c8fbbb21935618736f929e316b80c95fa66b2ff16f152
SHA51237b80d0460afde78566ec370dccbd0379b99f54260a819d41fc095b088316f8ed47983807faa37d35af05482c742186f27f3c0caf33ae10996b836ba63e7525b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_4BB72A60CF9C652B353353202101C0E4
Filesize502B
MD51b494916a1f05de4cbe475d4d1aba890
SHA15d370a148307d72e98d972d6629884d2e784ffa3
SHA256a5c0c3be9e015018ca28fbd5ed5223b2dcb5fe271e2478b2a65e8524baa94ccd
SHA5123b71260d639297773b3922fff829eb34e835fd85b0861ef225c7d582d97bf802136d6299a098adb0a3a4ab85c109459bda98c00f8426ecf55ed2c70f23dcfc9f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B0B1E3C3B1330A269DBEE4BA6313E7B4
Filesize208B
MD5cc105646d98be9a6b66dfde69c28641c
SHA149ba1de33366abbf0c85a8e4b5a5bb072af2b60d
SHA2561ce20f954ce03d9312597a8844f7bfd263ff6ea1ed1cf6e65451915d7a5413b8
SHA51283b1c84a96f71bd7274c1abf22bd175886bffac0f39e73a4f8f24de81b7be2117635461a050aca611bfefc9e1f32f3728ae2b1a8b6d6158b04147ec2b8abe219
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDA81A73291E20E6ACF6CACA76D5C942_4EA93225B46C4B45501FF0DDE9E306D0
Filesize440B
MD5d7a03866e70d4941230393a7974a5a2d
SHA12aca9a5932c98916352d951dbebed859c4349281
SHA2568d0f6834ead55b695ee362becaf86c5868339af2968234345838e9e136b16c26
SHA512c014ae4cb84b6af9ba9699fb672e43cd27c6b8c5b6e598a2b8cf757eca0592901b55780dfabdc07e6978d7708be6b4a4ebe3e0bd073f4ccff38f2cb57ffa61f5
-
Filesize
7.4MB
MD5a7483df6aaf185af61a2d6122ae2b12b
SHA1463c6b8ecc4ecd9af05f5b738651b9c99e77195a
SHA256f7c56249239800c74ce1e24c042f7207c0a9fca323a7bda0125c72f1bcaf10a0
SHA5126393e62b224a5ab630016f3b275f78aafbc0144798ab98f817813087a9fe3c138cb28c7fef34a40269a887415f49f2108c3fce8b1b77655e7ebd6b4670286b58
-
Filesize
1KB
MD55a40649cf7f6923e1e00e67a8e5fc6c8
SHA1fc849b64b31f2b3d955f0cb205db6921eacc1b53
SHA2566d432ba7096090837f9533a33a686c846ad67aed8ecc43af7ce8af42649cd51a
SHA5120fc42a2cc61528b14478f4b9ae098ea90e6b05ddbe10f3a6cdd6326d0d8e6185b49d2b8143b76a9f329bdc277cf02b54d98f374edd65df68a1ffc41e1c817786
-
Filesize
688KB
MD5ab6d42f949df8d7e6a48c07e9b0d86e0
SHA11830399574b1973e2272e5dcc368c4c10dbbe06b
SHA256205ebf52c47b42fa0ad1a734a1d882d96b567e15a32b19bdb907562db8ea09e2
SHA5126c4f9bb726384c87b6523e08339f7821ad4ec8717b26db902ca51df74eb89b46e4ded1504a131683b07b2bba3e6e911a549a8a83b2aad3971047c0fe315a1ad5
-
Filesize
5KB
MD5856242624386f56874a3f3e71d7993f4
SHA196d3199c5eebb0d48c944050fbc753535ee09801
SHA256d86ed80d2a9e4e1af843a991a6553a2fefd5433b2144be0cfb63a2f18deb86be
SHA51276d440fe2ed535677a1d249b289463bfedfc5d2afc0e269e4593bb113393f165856c07117735cf3e5a230b5d04a61c7126df24a466594d8c27b47b2047834a09
-
Filesize
1.7MB
MD5e68cea8c6d4b16641f30dd930a952ebb
SHA17e8c4b51e6e56f35a2983ab6cb121341aeda565c
SHA256a7f3f788323a12158d66f341c4711d71fc2244a2b07a68fb8df4baec0ff76f35
SHA51296351e36a4c5020ed464b96b72bb3063db819981440bde7c6c3a50f7fe470e1d70f0350ec7c4bcd4808fcabe2ddfbdebfc7039ae2248c1455e2245f53ce44ec0
-
Filesize
264KB
MD5fa6fad99d5d7ea5fcae4fe1d3a4f0038
SHA1af23126f210ec5fcea7ec51db519c68be1b4d362
SHA2563936b42d82e12f01d80af3c9f677772082a06211c4d6172198af31696c99b3fc
SHA5122211694fe9454c7ba380435ef9cc75a3e1868e732aa174c7884cac9a18ffcfc75fbcf23aba71cc1c66252ef4ea2ba58015fed3b1829fe771d887a5fd9b6b34a5
-
Filesize
423KB
MD50c03eb93d1ffa26e3958048d1b2bfbdf
SHA1acdcf4dd3c374642f8ef7dc7399d847cf57a973a
SHA2564f789f9f51cbd3195baaf81e50ea15b544ed46dfff28ba4f1b0e746248ca1422
SHA5128b3cc62e7951cec605ece2835e8160cf5796074e2e5d3690920f74ab84815b106aa52b73ead708fafd583cb86e774a8bf2198693994684d00dddb265398490d2
-
Filesize
34KB
MD58b763843daf35c45933d07d56e7079ae
SHA14761ee66cb7b272b3c6e2d038fd953d8fb6c39e4
SHA256c76994250c419713360b7c0a1f76b4868735e1408d65213762a3362fe72788df
SHA5127ae133a2eee719ba116380b233f8a327bc6acd489e0acbe61b219fab9c1f891e3af4b408e8dbf368101295b74c2ec0cd9feeb8e84e0769b6fe1a700032ef8e6d
-
Filesize
530B
MD5f3d88b6aee939fb2f3bea9b96e7ce864
SHA1c52ebab399be03b6688fd6f760f26dd097797dd8
SHA256dd529a9578d15a17402564aeef13a93312c320f5c7a97ac1a94967ad05f0ca5e
SHA512b701cf836c481da53fe1a60101735f730a23a4e2c1695e38ad94a96c810421b93a74770eabb80d8a69970c23aac847a80eed19c7bf54be02323177a942c6e7af
-
Filesize
42.1MB
MD5bf952b53408934f1d48596008f252b8d
SHA1758d76532fdb48c4aaf09a24922333c4e1de0d01
SHA2562183a97932f51d5b247646985b4e667d8be45f18731c418479bbd7743c825686
SHA512a510a96e17090ada1a107e0f6d4819787652ab3d38cd17237f255c736817c7cfcb3fd5cf25f56d5693f4923375b2ab9548e9215070e252aae25c3528b2186d99
-
Filesize
2.5MB
MD5ab8ad0598fd809f5bceaab59575e121e
SHA19c9c6898e4512c8a5f3b0a18fd6b0c1bf1d773b6
SHA256482ef43ea80aa3674788ca369eaccd879f69219281bb43ef8dfabf70928721b7
SHA51232254c482835133c4b55a86421bd39d2c9b2cf37c27f5bfa40313996f8f323822486f59667e9b342c6c0f3120103b47e5ff194a9f7d7171c38307d0d27b7bf98
-
Filesize
509B
MD58dba0e19d0eb0e616ee2ecc39b3b9b16
SHA173d354c9ed9bcc240aa1a2bfeb3e7e30d54f8052
SHA2563e35e3c5c3fd2e63ef3588ee920abc3503814476e10f922d0a23d08e5c649aa2
SHA5120be21be215828e805dabdc7bef5e7ef528970a83630960e0e7a7ed737f08f0b5c35a5f7d17ae562abec828ec1582ab2037153383fd02a9144d6b8a95e1f23104
-
Filesize
8.9MB
MD585dca9499320b4697760756af08578db
SHA116c683f0e22d186bea2b44eeb3f395554feaf5a5
SHA256ea3a74162d382da92f23d922548e09a432a893a6abc4dc92580fd7f0e49f0767
SHA5127979b02400a9147f547a9af0deefede034e39636345978f57302ab70753967ff62b402757aaab84967200d4aeead63d2b7440997579e90160c850c91a29e1eb2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ksr1zwqy.Admin\places.sqlite-20250201132252.634763.backup
Filesize68KB
MD558b4f36e4874cbc6a0a930e91ffb2c89
SHA1207138ddac715a55c24babb609fb1a480658f3f6
SHA25669d959aa7616101ea0d194cbb3afa08047ea7a9d169ca72a9d375f7e96125e48
SHA512cd6b989135fa8d7951606e1ff1285fe3f2ac2859414a4c88b3b7c71e02c765988775ce60d4e382183528d55cffdfd9fb08be1e9b96f692ad50ba473a9f84edee
-
Filesize
1KB
MD53adec702d4472e3252ca8b58af62247c
SHA135d1d2f90b80dca80ad398f411c93fe8aef07435
SHA2562b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335
SHA5127562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0
-
Filesize
313B
MD5af006f1bcc57b11c3478be8babc036a8
SHA1c3bb4fa8c905565ca6a1f218e39fe7494910891e
SHA256ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c
SHA5123d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af
-
Filesize
38B
MD55bc298aed6d4a02ffe9ca4b7409284d0
SHA1eca3dd9f1979f218c2f603fb9c55de2edcb7f090
SHA2567055373728701ea041da8f96209e436699898db7533901a5305794c12a7417bf
SHA5126edd2ccfd57759c7f5d765017d8867858769ff8dec1a64974bb9ca6fed8172cdba743780bd7528fcb55a734b8ef2b2f0f905d39135198c26ca5dc355ff23ee1f
-
Filesize
183KB
MD5397ab476de3fa72a10b8712d4adae0fb
SHA142937a6467beb0ed70bc443e03d401ec7e4954e7
SHA256fb393e8c6366d4b8b27fc5e7b708380f4949e2ff911822745cb0c1a9b8ad3add
SHA5126c9fc9485c09da4316364d8135fc76a72600247966f0807f2fbed8ef4de17afdd9cd55456f31b0ccef369cf05900e9e6deeadfc8f1a8e9d38c33eed1114ed85b
-
Filesize
190KB
MD53eaa3733c0a1c79d15ff9bd0ea8ec80d
SHA17c5f9331d8c8cc4fb316e25045fafc5438db6efc
SHA25642747eb3321242ef4c551f1e0f3dc2891a72b5d24aae685b199751216162962b
SHA5126bee660636049122b9b729c6568d5a9997deb323808b6de5c02ae4631874f5b186ccafe31f2103a90457f9b76141f1bee31f787a2fe836c4df9e3deed3713c1b