guloader | 3dbd6b79ffab366c6725afc3d80ca01359e8ddd59694e4caab3be85b72abc4af

Analysis

max time kernel
58s
max time network
59s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payroll List_pdf.exe
Size

831KB
MD5

a262509d9e7799ba517432a2468b826e
SHA1

d72c16f19686bf9afbb89347632eda3703396e90
SHA256

f229c284ec539c5ee4feaea921a24a06c900079b4e8cb4b0965bdbb9f2fcef18
SHA512

81fd20cad8f4a3ae4e4f3638b5242061968535d22032e7003288e59bbd7b0aebd719e39731345b2efbf2f2e66950735b05ae124b44d93a08660f6d0df6459c1a
SSDEEP

24576:JUjfV4MC3d0qTpv6IPX9ky5awvY/X6eR8Mw2:kWt3djZ6IPDRqBXn

Score

10^/10

guloader remcos remotehost discovery downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

127.0.0.1:2404

196.251.93.4:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-LQXWP4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
2924	remcos.exe

Loads dropped DLL 6 IoCs

pid	Process
2408	Payroll List_pdf.exe
2408	Payroll List_pdf.exe
3056	Payroll List_pdf.exe
2924	remcos.exe
2924	remcos.exe
2600	remcos.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-LQXWP4 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	Payroll List_pdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-LQXWP4 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	Payroll List_pdf.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
6	drive.google.com
16	drive.google.com

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\suppressionens.bin	Payroll List_pdf.exe
File opened for modification	C:\Windows\SysWOW64\quadrigae.jpg	Payroll List_pdf.exe
File opened for modification	C:\Windows\SysWOW64\Disarticulating.ini	Payroll List_pdf.exe
File opened for modification	C:\Windows\SysWOW64\suppressionens.bin	remcos.exe
File opened for modification	C:\Windows\SysWOW64\quadrigae.jpg	remcos.exe
File opened for modification	C:\Windows\SysWOW64\Disarticulating.ini	remcos.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3056	Payroll List_pdf.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2408	Payroll List_pdf.exe
3056	Payroll List_pdf.exe
2924	remcos.exe
2600	remcos.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\dyppekogerens.ini	Payroll List_pdf.exe
File opened for modification	C:\Program Files (x86)\dyppekogerens.ini	remcos.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\mechanicochemical.jpg	Payroll List_pdf.exe
File opened for modification	C:\Windows\resources\mechanicochemical.jpg	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payroll List_pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payroll List_pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2460	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2408	Payroll List_pdf.exe
2924	remcos.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2460	explorer.exe
Token: SeShutdownPrivilege	2460	explorer.exe
Token: SeShutdownPrivilege	2460	explorer.exe
Token: SeShutdownPrivilege	2460	explorer.exe
Token: SeShutdownPrivilege	2460	explorer.exe
Token: SeShutdownPrivilege	2460	explorer.exe
Token: SeShutdownPrivilege	2460	explorer.exe
Token: SeShutdownPrivilege	2460	explorer.exe
Token: SeShutdownPrivilege	2460	explorer.exe
Token: SeShutdownPrivilege	2460	explorer.exe
Token: SeShutdownPrivilege	2460	explorer.exe
Token: SeShutdownPrivilege	2460	explorer.exe

Suspicious use of FindShellTrayWindow 24 IoCs

pid	Process
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 3056	2408	Payroll List_pdf.exe	28
PID 2408 wrote to memory of 3056	2408	Payroll List_pdf.exe	28
PID 2408 wrote to memory of 3056	2408	Payroll List_pdf.exe	28
PID 2408 wrote to memory of 3056	2408	Payroll List_pdf.exe	28
PID 2408 wrote to memory of 3056	2408	Payroll List_pdf.exe	28
PID 3056 wrote to memory of 2924	3056	Payroll List_pdf.exe	33
PID 3056 wrote to memory of 2924	3056	Payroll List_pdf.exe	33
PID 3056 wrote to memory of 2924	3056	Payroll List_pdf.exe	33
PID 3056 wrote to memory of 2924	3056	Payroll List_pdf.exe	33
PID 2924 wrote to memory of 2600	2924	remcos.exe	35
PID 2924 wrote to memory of 2600	2924	remcos.exe	35
PID 2924 wrote to memory of 2600	2924	remcos.exe	35
PID 2924 wrote to memory of 2600	2924	remcos.exe	35
PID 2924 wrote to memory of 2600	2924	remcos.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Payroll List_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payroll List_pdf.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\Payroll List_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Payroll List_pdf.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      PID:2600

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\dyppekogerens.ini

Filesize
44B

MD5
6644a29c4fcb5c51650383ac2625163a

SHA1
75de5a6b73cd9bc47af952ad60679535cf768b27

SHA256
0d9e8205fb30192bec64aa7c4d7a0c9d98e469f6739aa321d3b85da16caa8abc

SHA512
2e6a476b3045a543a322332b2eb9d261002c3a278dc408b9eb5af3e4b136fe1b783c3091ce5edaaa7f3c8d2bffab714408bb23ae2e135cd034e1ff02ef36302a

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
831KB

MD5
a262509d9e7799ba517432a2468b826e

SHA1
d72c16f19686bf9afbb89347632eda3703396e90

SHA256
f229c284ec539c5ee4feaea921a24a06c900079b4e8cb4b0965bdbb9f2fcef18

SHA512
81fd20cad8f4a3ae4e4f3638b5242061968535d22032e7003288e59bbd7b0aebd719e39731345b2efbf2f2e66950735b05ae124b44d93a08660f6d0df6459c1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
14f8c8b3f0a8e12a7ac7515facb31487

SHA1
13eaa6c33482736490bf071f52c472ee4f75bce1

SHA256
cbee53002f98f7e03604e108f6bde672099fbe470bf48a312e745887bf299725

SHA512
81f3a8e11c6a7023d6fac217628a86816a88baa0678e6f6224689b7839b45c35b02d53ebaf1a05222c64771cead592d1752d8abe65c8f5b52a838e46f58bd1ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_83F29ED1D5F129EB605BF640EBE52C8C

Filesize
472B

MD5
4bfa971a7a7d50b72bb228fd64157f9e

SHA1
8f3a54af31f9dc169fe8403003b3c74b06aa0c80

SHA256
1c6207bc1dac8250a180378ba5dc2c3e778489097d6a1a4d708de4198a21fbfe

SHA512
e8dddf2213e0620f54c16d780358e19e8aa5ca7e698e1184127b766427c941e9dbd8e0e1efef65efbdfd7e99e79a9e9dfa8aa9800115e66c20c3428eea57b503

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_14926B8298A57E2D3C526CDC93311069

Filesize
471B

MD5
96c014ca9aca4521bc3c607ea102264c

SHA1
4a4ff56cea54a50b117f58e885bcbff88ae1500c

SHA256
44af118201b80db61df92b4a9238f9e93b42fbdd708b20970f754110850b5d5e

SHA512
23ef7a983a8bbdf409294755f7b91b6a2adbb35c45f5d62f877b41e9db7f110492ed4e57cd79aa1e88618c2d687f586a0569c2ceb3aa46846c6fe9ad945a9d22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
77a813c666449f78420fd38c458cd523

SHA1
c24ff3fe8a224d0fabfe5c0342b0ddbaba9a5f5e

SHA256
c8df21b1276dd9a973776efaa3ed06ad9713cb05dcb57d351dcc3e85716f4e0e

SHA512
8a9fca5af55fcb8ed3a33d0916ac45e06e365020b478c9df1e0daed803982e0ff158fa0d85d43c6195444d7f3b564c95de7b16412a8348ce50af3bc549ddfb8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
45aefd4108f24f62440c6239eb937111

SHA1
f8067bf55e0331941cd1b2ac7487447d8d1c4313

SHA256
af377d7b32869483e687c0ca74eafb49a414b15b2640fb4732ddfec9f473ca52

SHA512
e4e5b291cc50dff755b57d805561d4cb22a1942790e852b4aaf107cf9e62960523b2c000a966fe4afcc6ebd655d0d4d3c0170729cdf5c31f39c7187670dfcacd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_83F29ED1D5F129EB605BF640EBE52C8C

Filesize
402B

MD5
33619961a1903b9b222996f269ae453b

SHA1
0457d88965c6bfcbf5d43479622112fa272b78fa

SHA256
7cefce2f0c3c39212662ab14b012d2677ed9b06fa5b075a272169bffcc67fdfc

SHA512
4a4fe6a6ccc3e8e1b2af14677df27d4d0b5646085f441b17acb0f012deda36e64fa0f7c0de273c981c52693c6d4b3bb5a28f84d1959621499bae18ce8abe83f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_14926B8298A57E2D3C526CDC93311069

Filesize
402B

MD5
1b3ea249007b6d71a9bff292842632b5

SHA1
b58d72bd7b8446add230e21c406475e82e3cccec

SHA256
f370c7c3c65346104d99e752b9e1525406f75844e4bd428343f422b2d0984566

SHA512
92ed22a3f8fce21854609a3b1621b16d0c5e34bf6187f2cb18f58672f628f883e65377af102e5488e8270971f0eed4df150cf2a1b45bd44a787023fb658346d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dcaade7935ebf79cdb05b0c2e8176a0e

SHA1
9c79f7d80898511530f6f12c426dbc720cbe4d69

SHA256
fac6d1dbcd0898965b92dbe8074d5974d47e487a65e2007b3b42f7990835e79e

SHA512
81a129d0e7136b836df87cc3452ec9f9b01535cfb2711ba69e0c13d4f8c23eb4602554f29e7baefed785d261a2ec9ba0185b8f224f6188d3cc196fcdd65943fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2BA2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Attakerede.pro

Filesize
3.2MB

MD5
24c453c82258126ae46700880f6cceef

SHA1
562fc29d0cd6a4853a5cf692d9d83839576f5aeb

SHA256
1874c5957744cf91e2cd38898b6eb27d89d4f20d2d9cb96c6bff31e9d2518d16

SHA512
e160eaf58106979143ff96d61a1f74808ce3bd75de510b60299ed83e2cad473267c548e835700bff7f6a5f5bff53ae1fa570cdccf5b18883b71db7aa0db27c69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Familieejede\tmh.ini

Filesize
295B

MD5
09f74b91ee389deb1956fa911f819e9c

SHA1
693f9f96af012962ff6d4645fe38e294c8c5316b

SHA256
86e7165b8c377122d41f1833f6d2dd5c38031b2de6ff463d5b51969585f04998

SHA512
c74cca6e1a151e4f73c998d13caa908d8e10ee8bcaaa68946f69cc7c156c5a92994e3b3d680f4c78ade9757e575c6e23af37a815dda7baac2be81bcf49af4c1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Familieejede\tralatitiously.ini

Filesize
280B

MD5
68b713a216781101284300debf730cd6

SHA1
b362ec481fe13a6054cd0cef698b4d316cfb7ebe

SHA256
83a278a60e3aed10ddcff0ea52c7315df48ccd3119d39a0dd218ce1cde813691

SHA512
ad24849ec1f621529f8e807de0610d03a23504f0d7eba759bc1a8cb473002c3016c8cfed7afcbdce3645c9a6f4e4fe2261f40fdbb35a44395404d74c03e8da0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Familieejede\trundle.ini

Filesize
638B

MD5
a1aa57bb9f555c4a095d0c817435a82e

SHA1
cd4933a29edf8f72af8f32586c2d1dfbc1ff575d

SHA256
6219fb47744d71837d70c9bc31deb2ce8120c707a7888f50fcf558b0c6bc96e7

SHA512
179122c07e04914b30e4da14dbc5182e2f7dfdaaa678645a2874ea8256f66aef30caaa199c65d4816b9e84f05279f37b7a8ce3cb99a82b3eaf59297039961885

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Familieejede\tumleplads.ini

Filesize
279B

MD5
5e6a6b65956a1f5e1f65b9419a4827d0

SHA1
53f85675dacfed6393c04438a533fccfdb105075

SHA256
e86781a1f0b5d4ca96368bd63bc0807d942e1c41d8903d685659a56d2c7744aa

SHA512
ba7a3dd0839177cb7723d61de8bd669d6126222e03475cefff4c4de3f3f24022c34bc1c470fe5983e5a3f07c920d6fe1010e2adecd658bd22105692528ea327d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Pavonazzetto.mis

Filesize
1.1MB

MD5
7d060d3ad332eff7eabf0915f50b3a8d

SHA1
9352a2b1e485ada11fc53c755549dc36f1ddf949

SHA256
923908290b51a53a2be4ebd9935c675162bf60f82004a3a4eebd1da1652c998d

SHA512
8dab095fec80d47c3e3f5b2b78dc5fc704c0993bd0da9a42b4b2a2c9dea36b72a93d1de67ad060a66b527d714fb4454b972ee95e7e623ef3cd9b006788c645b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Smreolien33.dec

Filesize
2.0MB

MD5
1690c9a03bb7c977ac57b32b709bf714

SHA1
88ba17befa4004f4601fe627c4b48d3055e3c6ed

SHA256
296a1556b6bf8d00f8d7f00741f9a510a5123b05d738379fddc26357e29a3244

SHA512
1efa2243c9bf866aba6e1d12e0c6c620a478eb82ae8bb52b1f679d9cde154b5dc2c278aeb702b773f624cd132c91c557c71be8f384b8301fa03adbf417613ec0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Strikkepinden.Cli

Filesize
54KB

MD5
2d3da914fd285623e0b793b318a74d31

SHA1
33ba9c64522f1517f753a70f55f411ef9ffc94d9

SHA256
231656e5e99fcedb3c2fcc41a342faa3d37b4f0b1f16a8d4784ca3b215a84ae1

SHA512
ddc61d53c13f397ac43dfc3877451686c88776d2b3dc8c5960e52dc51357bf15b1d6f0005204e339f506a9ba4f08511a9b7dfe884ccbb6ae7f896510c78556a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Synthesizes33.txt

Filesize
504B

MD5
87e7fee841319934f8854a753077879b

SHA1
0e5e732e212d54e71808e5c1c921c4459b597193

SHA256
82b873d4137f2d2a4aceedcc5ad6c9fef39460308cbbce54f37529cdfcc1ba57

SHA512
05c2aa2d6468306132c806e585eb9ba9f09554c53638e596b97b952fff6b0324c4012a063e513437e881656aaab1043c530976acd1eb79e00ac4d6dbf1b1cd16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Unfrizzly.Kin

Filesize
326KB

MD5
6f6cde0440673fbe100066bed7fa252b

SHA1
6210a6ca2b3d58841eaabc6dbb8a5d2c1da28543

SHA256
3f872c2978d5aa10a6112e81a94e7d23f788a8d8430be0e7a61ab9747cf4fc0b

SHA512
8f0f04a6397fe7e2e21d9d2424ae367ea2c68598b20a9811d36f334d86786ad59e5cdf8b830a5eed79c27184cd2ce0cec9f45a633d7676d0c938ff47fbe6b972

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\censorkorpsenes.ini

Filesize
305B

MD5
a4a2aa48417985844c196b3cd5e2b70d

SHA1
1dbddbd73130a1a5ea6f281c990bdc30801739d6

SHA256
40fc272178b28026f17c2d506684a7c7c5ae3c3d35cc8aee1aaf0d3b8bdd8782

SHA512
b26f890c7501a3f348a40c9365659cf57c10326d9a06d503468df5a5529237d06a2e314734e65238b318a7a74b85107fdd2aa339eb63f5368aed7b36208172cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\coralliferous.ini

Filesize
320B

MD5
18f56af1efeb71430fbb3beef59cc50c

SHA1
0877c338f90045ca71257813b30a4e336d529f4b

SHA256
66b83566825b4a557cc6b276321069c7bc9821963ec1c87d09b61a1c9357e1d0

SHA512
e9f643d19a1ac2ecefb6c200c37794310e85647fc8382903000b367d1988f0a56800e2826488b723cba2c100be145cbddd20efd91bc8ef7e212e1b55cb701cdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\stivnedes.ini

Filesize
555B

MD5
18a67a1fae480cd33bff380eac1b72a4

SHA1
8b84634c187fd6f31905c86cb7495d4d3f70e71e

SHA256
370f70c21de89b48f34e89b71c96a0a32fab7b67437fa3918a4ce312ddd63a46

SHA512
09588a194a267bc6a8246d1d836546e29de75083181803442fe29e1a18ca98be1439ea3a14e0ca745beb4798cf4670dca10905fe33aefb6a4ad7180e6bf154c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\sulfamyl.ini

Filesize
456B

MD5
a2ff4b479c512364f2902c1849882995

SHA1
7337c45a5c9253682d5faa5a37bcbb5390f84774

SHA256
2ed67e96c1cda469b2cf2c7b7ebecf35c21338c72208b6c28927216301d7449c

SHA512
8eec2c09e0079dce130443c562c30e2eb2decd5e06ac9517414b1d256f8a8ee47572a73da32bff54c9d3114a171bb9a91fe3d8631171bc8d1ba35116ee7ea0be

Download Submit
\Users\Admin\AppData\Local\Temp\nsi569A.tmp\System.dll

Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
memory/2408-294-0x0000000077A31000-0x0000000077B32000-memory.dmp

Filesize
1.0MB

Download
memory/2408-295-0x0000000077A30000-0x0000000077BD9000-memory.dmp

Filesize
1.7MB

Download
memory/2600-645-0x0000000001510000-0x000000000537B000-memory.dmp

Filesize
62.4MB

Download
memory/3056-326-0x0000000001510000-0x000000000537B000-memory.dmp

Filesize
62.4MB

Download
memory/3056-332-0x00000000004A0000-0x0000000001502000-memory.dmp

Filesize
16.4MB

Download
memory/3056-322-0x00000000004A0000-0x0000000001502000-memory.dmp

Filesize
16.4MB

Download
memory/3056-298-0x00000000004A0000-0x0000000001502000-memory.dmp

Filesize
16.4MB

Download
memory/3056-297-0x0000000077A30000-0x0000000077BD9000-memory.dmp

Filesize
1.7MB

Download
memory/3056-296-0x0000000001510000-0x000000000537B000-memory.dmp

Filesize
62.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads