guloader | 3dbd6b79ffab366c6725afc3d80ca01359e8ddd59694e4caab3be85b72abc4af

Analysis

max time kernel
32s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payroll List_pdf.exe
Size

831KB
MD5

a262509d9e7799ba517432a2468b826e
SHA1

d72c16f19686bf9afbb89347632eda3703396e90
SHA256

f229c284ec539c5ee4feaea921a24a06c900079b4e8cb4b0965bdbb9f2fcef18
SHA512

81fd20cad8f4a3ae4e4f3638b5242061968535d22032e7003288e59bbd7b0aebd719e39731345b2efbf2f2e66950735b05ae124b44d93a08660f6d0df6459c1a
SSDEEP

24576:JUjfV4MC3d0qTpv6IPX9ky5awvY/X6eR8Mw2:kWt3djZ6IPDRqBXn

Score

10^/10

guloader remcos remotehost discovery downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

127.0.0.1:2404

196.251.93.4:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-LQXWP4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 4 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4740-71530-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft
behavioral2/memory/8028-71534-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4740-71529-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft
behavioral2/memory/3412-71794-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/8028-71534-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4740-71530-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView
behavioral2/memory/4740-71529-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	Payroll List_pdf.exe

Executes dropped EXE 3 IoCs

pid	Process
4436	remcos.exe
2280	remcos.exe
2120	remcos.exe

Loads dropped DLL 4 IoCs

pid	Process
232	Payroll List_pdf.exe
232	Payroll List_pdf.exe
4436	remcos.exe
4436	remcos.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-LQXWP4 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	Payroll List_pdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-LQXWP4 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	Payroll List_pdf.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
25	drive.google.com
51	drive.google.com
71	drive.google.com
24	drive.google.com

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\quadrigae.jpg	remcos.exe
File opened for modification	C:\Windows\SysWOW64\suppressionens.bin	remcos.exe
File opened for modification	C:\Windows\SysWOW64\suppressionens.bin	remcos.exe
File opened for modification	C:\Windows\SysWOW64\quadrigae.jpg	remcos.exe
File opened for modification	C:\Windows\SysWOW64\suppressionens.bin	Payroll List_pdf.exe
File opened for modification	C:\Windows\SysWOW64\quadrigae.jpg	Payroll List_pdf.exe
File opened for modification	C:\Windows\SysWOW64\Disarticulating.ini	Payroll List_pdf.exe
File opened for modification	C:\Windows\SysWOW64\Disarticulating.ini	remcos.exe
File opened for modification	C:\Windows\SysWOW64\quadrigae.jpg	remcos.exe
File opened for modification	C:\Windows\SysWOW64\suppressionens.bin	remcos.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1604	Payroll List_pdf.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
232	Payroll List_pdf.exe
1604	Payroll List_pdf.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\dyppekogerens.ini	Payroll List_pdf.exe
File opened for modification	C:\Program Files (x86)\dyppekogerens.ini	remcos.exe
File opened for modification	C:\Program Files (x86)\dyppekogerens.ini	remcos.exe
File opened for modification	C:\Program Files (x86)\dyppekogerens.ini	remcos.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\mechanicochemical.jpg	Payroll List_pdf.exe
File opened for modification	C:\Windows\resources\mechanicochemical.jpg	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payroll List_pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payroll List_pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
232	Payroll List_pdf.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 1604	232	Payroll List_pdf.exe	95
PID 232 wrote to memory of 1604	232	Payroll List_pdf.exe	95
PID 232 wrote to memory of 1604	232	Payroll List_pdf.exe	95
PID 232 wrote to memory of 1604	232	Payroll List_pdf.exe	95
PID 428 wrote to memory of 4436	428	cmd.exe	107
PID 428 wrote to memory of 4436	428	cmd.exe	107
PID 428 wrote to memory of 4436	428	cmd.exe	107
PID 1604 wrote to memory of 2280	1604	Payroll List_pdf.exe	108
PID 1604 wrote to memory of 2280	1604	Payroll List_pdf.exe	108
PID 1604 wrote to memory of 2280	1604	Payroll List_pdf.exe	108
PID 5780 wrote to memory of 2120	5780	cmd.exe	109
PID 5780 wrote to memory of 2120	5780	cmd.exe	109
PID 5780 wrote to memory of 2120	5780	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\Payroll List_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payroll List_pdf.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:232
- C:\Users\Admin\AppData\Local\Temp\Payroll List_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Payroll List_pdf.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:428
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4436
- - C:\ProgramData\Remcos\remcos.exe
    C:\ProgramData\Remcos\remcos.exe
    3⤵
    PID:2956
  - - C:\Windows\SysWOW64\recover.exe
      C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\meifsztkfgsoxncrkhzh"
      4⤵
      PID:4864
  - - C:\Windows\SysWOW64\recover.exe
      C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\meifsztkfgsoxncrkhzh"
      4⤵
      PID:4740
  - - C:\Windows\SysWOW64\recover.exe
      C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\wyvptsdesokbhbydtstbrsx"
      4⤵
      PID:8028
  - - C:\Windows\SysWOW64\recover.exe
      C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\haaiukofgwcfkhmhkdgcuejqun"
      4⤵
      PID:3948
  - - C:\Windows\SysWOW64\recover.exe
      C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\haaiukofgwcfkhmhkdgcuejqun"
      4⤵
      PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5780
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
PID:6844
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
PID:7556
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  PID:1916
- - C:\ProgramData\Remcos\remcos.exe
    C:\ProgramData\Remcos\remcos.exe
    3⤵
    PID:7116

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:4148

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\dyppekogerens.ini

Filesize
44B

MD5
6644a29c4fcb5c51650383ac2625163a

SHA1
75de5a6b73cd9bc47af952ad60679535cf768b27

SHA256
0d9e8205fb30192bec64aa7c4d7a0c9d98e469f6739aa321d3b85da16caa8abc

SHA512
2e6a476b3045a543a322332b2eb9d261002c3a278dc408b9eb5af3e4b136fe1b783c3091ce5edaaa7f3c8d2bffab714408bb23ae2e135cd034e1ff02ef36302a

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
831KB

MD5
a262509d9e7799ba517432a2468b826e

SHA1
d72c16f19686bf9afbb89347632eda3703396e90

SHA256
f229c284ec539c5ee4feaea921a24a06c900079b4e8cb4b0965bdbb9f2fcef18

SHA512
81fd20cad8f4a3ae4e4f3638b5242061968535d22032e7003288e59bbd7b0aebd719e39731345b2efbf2f2e66950735b05ae124b44d93a08660f6d0df6459c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn688F.tmp\System.dll

Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Attakerede.pro

Filesize
64KB

MD5
473c0fe5cd075753d5b513c3c25465ce

SHA1
8221a550a2703eb7ef99931a3011328088afebd1

SHA256
7f7ee23d6e18eeaa3fc88261f4ba32c3ae0a23186c55334f93634fdb370f9d22

SHA512
c877948b852b8c34101ee15f9d12924acea2774ecbde5aeefc5f75ba78c569b56504a7aad371d1aac1d65c16488a0b747b65a27722beae4a48876a51976a9128

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Attakerede.pro

Filesize
3.2MB

MD5
24c453c82258126ae46700880f6cceef

SHA1
562fc29d0cd6a4853a5cf692d9d83839576f5aeb

SHA256
1874c5957744cf91e2cd38898b6eb27d89d4f20d2d9cb96c6bff31e9d2518d16

SHA512
e160eaf58106979143ff96d61a1f74808ce3bd75de510b60299ed83e2cad473267c548e835700bff7f6a5f5bff53ae1fa570cdccf5b18883b71db7aa0db27c69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Attakerede.pro

Filesize
1.5MB

MD5
7cc0e28eeee617488f7b075beaab1bf6

SHA1
fc80b977f87f338011b1a9594661f17474cc3fc7

SHA256
0ff9df618f2c270ec002307a14203b8459baee9b0d6dd7df684599465c15ff85

SHA512
f60ef5af554bbb0414b77945b30c6c6e1388e9dc6bf12f83e179043a5d9e1704cbe9ed5e45d09518b217981fca03b05a0905b0f33727c6e6064412ad6677b1cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Familieejede\tmh.ini

Filesize
295B

MD5
09f74b91ee389deb1956fa911f819e9c

SHA1
693f9f96af012962ff6d4645fe38e294c8c5316b

SHA256
86e7165b8c377122d41f1833f6d2dd5c38031b2de6ff463d5b51969585f04998

SHA512
c74cca6e1a151e4f73c998d13caa908d8e10ee8bcaaa68946f69cc7c156c5a92994e3b3d680f4c78ade9757e575c6e23af37a815dda7baac2be81bcf49af4c1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Familieejede\tralatitiously.ini

Filesize
280B

MD5
68b713a216781101284300debf730cd6

SHA1
b362ec481fe13a6054cd0cef698b4d316cfb7ebe

SHA256
83a278a60e3aed10ddcff0ea52c7315df48ccd3119d39a0dd218ce1cde813691

SHA512
ad24849ec1f621529f8e807de0610d03a23504f0d7eba759bc1a8cb473002c3016c8cfed7afcbdce3645c9a6f4e4fe2261f40fdbb35a44395404d74c03e8da0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Familieejede\trundle.ini

Filesize
638B

MD5
a1aa57bb9f555c4a095d0c817435a82e

SHA1
cd4933a29edf8f72af8f32586c2d1dfbc1ff575d

SHA256
6219fb47744d71837d70c9bc31deb2ce8120c707a7888f50fcf558b0c6bc96e7

SHA512
179122c07e04914b30e4da14dbc5182e2f7dfdaaa678645a2874ea8256f66aef30caaa199c65d4816b9e84f05279f37b7a8ce3cb99a82b3eaf59297039961885

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Familieejede\tumleplads.ini

Filesize
279B

MD5
5e6a6b65956a1f5e1f65b9419a4827d0

SHA1
53f85675dacfed6393c04438a533fccfdb105075

SHA256
e86781a1f0b5d4ca96368bd63bc0807d942e1c41d8903d685659a56d2c7744aa

SHA512
ba7a3dd0839177cb7723d61de8bd669d6126222e03475cefff4c4de3f3f24022c34bc1c470fe5983e5a3f07c920d6fe1010e2adecd658bd22105692528ea327d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Pavonazzetto.mis

Filesize
1.1MB

MD5
7d060d3ad332eff7eabf0915f50b3a8d

SHA1
9352a2b1e485ada11fc53c755549dc36f1ddf949

SHA256
923908290b51a53a2be4ebd9935c675162bf60f82004a3a4eebd1da1652c998d

SHA512
8dab095fec80d47c3e3f5b2b78dc5fc704c0993bd0da9a42b4b2a2c9dea36b72a93d1de67ad060a66b527d714fb4454b972ee95e7e623ef3cd9b006788c645b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Smreolien33.dec

Filesize
2.0MB

MD5
1690c9a03bb7c977ac57b32b709bf714

SHA1
88ba17befa4004f4601fe627c4b48d3055e3c6ed

SHA256
296a1556b6bf8d00f8d7f00741f9a510a5123b05d738379fddc26357e29a3244

SHA512
1efa2243c9bf866aba6e1d12e0c6c620a478eb82ae8bb52b1f679d9cde154b5dc2c278aeb702b773f624cd132c91c557c71be8f384b8301fa03adbf417613ec0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Strikkepinden.Cli

Filesize
54KB

MD5
2d3da914fd285623e0b793b318a74d31

SHA1
33ba9c64522f1517f753a70f55f411ef9ffc94d9

SHA256
231656e5e99fcedb3c2fcc41a342faa3d37b4f0b1f16a8d4784ca3b215a84ae1

SHA512
ddc61d53c13f397ac43dfc3877451686c88776d2b3dc8c5960e52dc51357bf15b1d6f0005204e339f506a9ba4f08511a9b7dfe884ccbb6ae7f896510c78556a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Synthesizes33.txt

Filesize
504B

MD5
87e7fee841319934f8854a753077879b

SHA1
0e5e732e212d54e71808e5c1c921c4459b597193

SHA256
82b873d4137f2d2a4aceedcc5ad6c9fef39460308cbbce54f37529cdfcc1ba57

SHA512
05c2aa2d6468306132c806e585eb9ba9f09554c53638e596b97b952fff6b0324c4012a063e513437e881656aaab1043c530976acd1eb79e00ac4d6dbf1b1cd16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Unfrizzly.Kin

Filesize
326KB

MD5
6f6cde0440673fbe100066bed7fa252b

SHA1
6210a6ca2b3d58841eaabc6dbb8a5d2c1da28543

SHA256
3f872c2978d5aa10a6112e81a94e7d23f788a8d8430be0e7a61ab9747cf4fc0b

SHA512
8f0f04a6397fe7e2e21d9d2424ae367ea2c68598b20a9811d36f334d86786ad59e5cdf8b830a5eed79c27184cd2ce0cec9f45a633d7676d0c938ff47fbe6b972

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\bugloss.rai

Filesize
3.5MB

MD5
7a8f61bcccc6e42fac7f5e9b3810ba5c

SHA1
927544bd328d3db39c96f7cca792758e446ac8ad

SHA256
ba1b5576489f8324575def8bc86091ebdde33011b3bd4d09876393fdbcc9e30e

SHA512
f0049f39044c21b863615252d0b70d17fb45483bc3a8eda0fb4ab353a6d416761a354705587aeee0dc66e802334babf1d364a1ac55e1f54486ae485f1ecd6622

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\bugloss.rai

Filesize
1.8MB

MD5
caa3fc8e3fd6b185073a90a0dcd7588e

SHA1
f07b0c062be1992345c1ca4397649016ea8c54be

SHA256
46d34535c5b33fd3c8604ae7ec61511ef0cb0ac47a59cac1505b97a409d679f3

SHA512
263c3598f4dfadfcba58a8c8a21eebdf4e6c36f1b035366fa255f24ddafb1e886536c5f3e8dbf0eb6be1e0aeee9e2db50bb388efad810a354b119335b1d46544

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\censorkorpsenes.ini

Filesize
305B

MD5
a4a2aa48417985844c196b3cd5e2b70d

SHA1
1dbddbd73130a1a5ea6f281c990bdc30801739d6

SHA256
40fc272178b28026f17c2d506684a7c7c5ae3c3d35cc8aee1aaf0d3b8bdd8782

SHA512
b26f890c7501a3f348a40c9365659cf57c10326d9a06d503468df5a5529237d06a2e314734e65238b318a7a74b85107fdd2aa339eb63f5368aed7b36208172cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\coralliferous.ini

Filesize
320B

MD5
18f56af1efeb71430fbb3beef59cc50c

SHA1
0877c338f90045ca71257813b30a4e336d529f4b

SHA256
66b83566825b4a557cc6b276321069c7bc9821963ec1c87d09b61a1c9357e1d0

SHA512
e9f643d19a1ac2ecefb6c200c37794310e85647fc8382903000b367d1988f0a56800e2826488b723cba2c100be145cbddd20efd91bc8ef7e212e1b55cb701cdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\stivnedes.ini

Filesize
555B

MD5
18a67a1fae480cd33bff380eac1b72a4

SHA1
8b84634c187fd6f31905c86cb7495d4d3f70e71e

SHA256
370f70c21de89b48f34e89b71c96a0a32fab7b67437fa3918a4ce312ddd63a46

SHA512
09588a194a267bc6a8246d1d836546e29de75083181803442fe29e1a18ca98be1439ea3a14e0ca745beb4798cf4670dca10905fe33aefb6a4ad7180e6bf154c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\sulfamyl.ini

Filesize
456B

MD5
a2ff4b479c512364f2902c1849882995

SHA1
7337c45a5c9253682d5faa5a37bcbb5390f84774

SHA256
2ed67e96c1cda469b2cf2c7b7ebecf35c21338c72208b6c28927216301d7449c

SHA512
8eec2c09e0079dce130443c562c30e2eb2decd5e06ac9517414b1d256f8a8ee47572a73da32bff54c9d3114a171bb9a91fe3d8631171bc8d1ba35116ee7ea0be

Download Submit
memory/232-293-0x0000000077CE1000-0x0000000077E01000-memory.dmp

Filesize
1.1MB

Download
memory/232-294-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/232-292-0x0000000077CE1000-0x0000000077E01000-memory.dmp

Filesize
1.1MB

Download
memory/920-334795-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1604-297-0x0000000077D85000-0x0000000077D86000-memory.dmp

Filesize
4KB

Download
memory/1604-307-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/1604-308-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/1604-313-0x0000000077CE1000-0x0000000077E01000-memory.dmp

Filesize
1.1MB

Download
memory/1604-312-0x0000000001700000-0x000000000556B000-memory.dmp

Filesize
62.4MB

Download
memory/1604-296-0x0000000077D68000-0x0000000077D69000-memory.dmp

Filesize
4KB

Download
memory/1604-295-0x0000000001700000-0x000000000556B000-memory.dmp

Filesize
62.4MB

Download
memory/1604-327-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2956-176799-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2956-72585-0x0000000035F90000-0x0000000035FA9000-memory.dmp

Filesize
100KB

Download
memory/2956-70225-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2956-334797-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2956-37205-0x0000000001700000-0x000000000556B000-memory.dmp

Filesize
62.4MB

Download
memory/2956-328430-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2956-317807-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2956-281276-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2956-268051-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2956-66167-0x0000000001700000-0x000000000556B000-memory.dmp

Filesize
62.4MB

Download
memory/2956-254222-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2956-72589-0x0000000035F90000-0x0000000035FA9000-memory.dmp

Filesize
100KB

Download
memory/2956-72588-0x0000000035F90000-0x0000000035FA9000-memory.dmp

Filesize
100KB

Download
memory/2956-206172-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2956-82451-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2956-241168-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2956-97166-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2956-230005-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2956-217932-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2956-111079-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2956-128189-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2956-144873-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2956-160372-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2956-65794-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2956-191830-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3412-71791-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3412-71794-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3412-71792-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4740-71529-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4740-71530-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/7116-99417-0x0000000001700000-0x000000000556B000-memory.dmp

Filesize
62.4MB

Download
memory/7116-99441-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/7116-95457-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/8028-71533-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/8028-71534-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/8028-71532-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads