guloader | 760f8737397a004b29d0b7f0e6eed10813d129a07d2510bfb582b34b9121778c

Analysis

max time kernel
61s
max time network
82s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25FC004658_Femetagershusenes.exe
Size

601KB
MD5

77221f5f2a4984872389759b83446a62
SHA1

07c1d4795c8ec52dff45be198abde62c331ded59
SHA256

d67a5911a1cca695a8e3514e1155c6cc8ace4c1a6b96daf563f6ae3134c6d588
SHA512

bd64bd1be5fc366c600c5c88963e368fa82f31c0e692a27e7a7ce8cad0c5c4ac4d41cbba95e98bb5cfe753c3c157c399a2664b4e490068b18b2c7fe27bf10485
SSDEEP

12288:SDGg/i9HZmS7DpP5AkavuzLiB5Puhrxk/8872b5GmledTRfSCG+sQCVv:jD5PUkwuKB8rxk0omle3VG+shVv

Score

10^/10

guloader remcos parosh new discovery downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

PAROSH NEW

parosh.didns.ru:3011

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
polshmy
keylog_path
%AppData%
mouse_option
false
mutex
psh983mn-LGLX6H
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 3 IoCs

pid	Process
2216	Funktionsafprvningerne.exe
2648	Funktionsafprvningerne.exe
2832	Funktionsafprvningerne.exe

Loads dropped DLL 4 IoCs

pid	Process
2596	25FC004658_Femetagershusenes.exe
2216	Funktionsafprvningerne.exe
2648	Funktionsafprvningerne.exe
2832	Funktionsafprvningerne.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe

Suspicious use of NtCreateThreadExHideFromDebugger 3 IoCs

pid	Process
2952	IMCCPHR.exe
604	IMCCPHR.exe
1316	IMCCPHR.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
2596	25FC004658_Femetagershusenes.exe
2952	IMCCPHR.exe
2216	Funktionsafprvningerne.exe
604	IMCCPHR.exe
2648	Funktionsafprvningerne.exe
1316	IMCCPHR.exe
2832	Funktionsafprvningerne.exe
1780	IMCCPHR.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	25FC004658_Femetagershusenes.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25FC004658_Femetagershusenes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2596	25FC004658_Femetagershusenes.exe
2216	Funktionsafprvningerne.exe
2648	Funktionsafprvningerne.exe
2832	Funktionsafprvningerne.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2440	explorer.exe
Token: SeShutdownPrivilege	2440	explorer.exe
Token: SeShutdownPrivilege	2440	explorer.exe
Token: SeShutdownPrivilege	2440	explorer.exe
Token: SeShutdownPrivilege	2440	explorer.exe
Token: SeShutdownPrivilege	2440	explorer.exe
Token: SeShutdownPrivilege	2440	explorer.exe
Token: SeShutdownPrivilege	2440	explorer.exe
Token: SeShutdownPrivilege	2440	explorer.exe
Token: SeShutdownPrivilege	2440	explorer.exe
Token: SeShutdownPrivilege	2440	explorer.exe
Token: SeShutdownPrivilege	2440	explorer.exe
Token: SeShutdownPrivilege	2440	explorer.exe
Token: SeShutdownPrivilege	2440	explorer.exe
Token: SeShutdownPrivilege	2288	explorer.exe
Token: SeShutdownPrivilege	2288	explorer.exe
Token: SeShutdownPrivilege	2288	explorer.exe
Token: SeShutdownPrivilege	2288	explorer.exe
Token: SeShutdownPrivilege	2288	explorer.exe
Token: SeShutdownPrivilege	2288	explorer.exe
Token: SeShutdownPrivilege	2288	explorer.exe
Token: SeShutdownPrivilege	2288	explorer.exe
Token: SeShutdownPrivilege	2288	explorer.exe
Token: SeShutdownPrivilege	2288	explorer.exe
Token: SeShutdownPrivilege	2288	explorer.exe
Token: SeShutdownPrivilege	2288	explorer.exe
Token: SeShutdownPrivilege	2288	explorer.exe
Token: SeShutdownPrivilege	1924	explorer.exe
Token: SeShutdownPrivilege	1924	explorer.exe
Token: SeShutdownPrivilege	1924	explorer.exe
Token: SeShutdownPrivilege	1924	explorer.exe
Token: SeShutdownPrivilege	1924	explorer.exe
Token: SeShutdownPrivilege	1924	explorer.exe
Token: SeShutdownPrivilege	1924	explorer.exe
Token: SeShutdownPrivilege	1924	explorer.exe
Token: SeShutdownPrivilege	1924	explorer.exe
Token: SeShutdownPrivilege	1924	explorer.exe
Token: SeShutdownPrivilege	1924	explorer.exe
Token: SeShutdownPrivilege	1924	explorer.exe
Token: SeShutdownPrivilege	1924	explorer.exe
Token: SeShutdownPrivilege	1924	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe

Suspicious use of SendNotifyMessage 58 IoCs

pid	Process
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2440	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
2288	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe
1924	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2952	IMCCPHR.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2952	2596	25FC004658_Femetagershusenes.exe	31
PID 2596 wrote to memory of 2952	2596	25FC004658_Femetagershusenes.exe	31
PID 2596 wrote to memory of 2952	2596	25FC004658_Femetagershusenes.exe	31
PID 2596 wrote to memory of 2952	2596	25FC004658_Femetagershusenes.exe	31
PID 2596 wrote to memory of 2952	2596	25FC004658_Femetagershusenes.exe	31
PID 2440 wrote to memory of 2216	2440	explorer.exe	33
PID 2440 wrote to memory of 2216	2440	explorer.exe	33
PID 2440 wrote to memory of 2216	2440	explorer.exe	33
PID 2440 wrote to memory of 2216	2440	explorer.exe	33
PID 2216 wrote to memory of 604	2216	Funktionsafprvningerne.exe	36
PID 2216 wrote to memory of 604	2216	Funktionsafprvningerne.exe	36
PID 2216 wrote to memory of 604	2216	Funktionsafprvningerne.exe	36
PID 2216 wrote to memory of 604	2216	Funktionsafprvningerne.exe	36
PID 2216 wrote to memory of 604	2216	Funktionsafprvningerne.exe	36
PID 2288 wrote to memory of 2648	2288	explorer.exe	38
PID 2288 wrote to memory of 2648	2288	explorer.exe	38
PID 2288 wrote to memory of 2648	2288	explorer.exe	38
PID 2288 wrote to memory of 2648	2288	explorer.exe	38
PID 2648 wrote to memory of 1316	2648	Funktionsafprvningerne.exe	41
PID 2648 wrote to memory of 1316	2648	Funktionsafprvningerne.exe	41
PID 2648 wrote to memory of 1316	2648	Funktionsafprvningerne.exe	41
PID 2648 wrote to memory of 1316	2648	Funktionsafprvningerne.exe	41
PID 2648 wrote to memory of 1316	2648	Funktionsafprvningerne.exe	41
PID 1924 wrote to memory of 2832	1924	explorer.exe	43
PID 1924 wrote to memory of 2832	1924	explorer.exe	43
PID 1924 wrote to memory of 2832	1924	explorer.exe	43
PID 1924 wrote to memory of 2832	1924	explorer.exe	43
PID 2832 wrote to memory of 1780	2832	Funktionsafprvningerne.exe	46
PID 2832 wrote to memory of 1780	2832	Funktionsafprvningerne.exe	46
PID 2832 wrote to memory of 1780	2832	Funktionsafprvningerne.exe	46
PID 2832 wrote to memory of 1780	2832	Funktionsafprvningerne.exe	46
PID 2832 wrote to memory of 1780	2832	Funktionsafprvningerne.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\25FC004658_Femetagershusenes.exe
"C:\Users\Admin\AppData\Local\Temp\25FC004658_Femetagershusenes.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
  "C:\Users\Admin\AppData\Local\Temp\25FC004658_Femetagershusenes.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2952

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  "C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    "C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:604

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  "C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    "C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:1316

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  "C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    "C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
a63dc15d95de395a9e5de80446ba6ac5

SHA1
e3ab417d87ecd1a5d17d905874c5f2ae1c3a0d3e

SHA256
d81933b0834133fb1757ef8655b6130f5a64a5725b4baa473b0a3132a62fbdbc

SHA512
a58d14dac9db8b2ca1e7757bcef56bfd81d0edaedd46b47553d416062583bab478690abcf9aba86690e717472d720ec55796db9470c9308850130fe98493558c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_509F9531D34B67093963A7990D344CA7

Filesize
471B

MD5
f5aedcdf049f6dd3065cb9a91d23f324

SHA1
191bb10a3aec519f335a7d115dd3632557c375aa

SHA256
76cd89f1f9436dcbc38d694441100d0939c3439d9e96f524dea0a6373d5df7e6

SHA512
10d015798c78a09c34d2b5fc89c32d24c311c17b3dea73441b4acbf33902db4468dfba28fc839167b49dafcfdfa7371bde5210f49a16263d0cb0ecb0c83edd70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_5A9FE11E8B6335FDA91281200971E038

Filesize
471B

MD5
4290d29fe7d42d6202716822c711a443

SHA1
bc927e004de7034bc6cf168a0779aab81df7d41a

SHA256
88b8e4ec7c2a917a58493593abdb6e2217a961a3251ed1ef7b1acd3981121017

SHA512
4cd870648c58f86a520dd1bce9d6c85c03e9a4c63f4f345658aa3f86a399b40777e83dfe1a09bee0d71e226eaad374f037a4f53e118397727d8a5f9a164c21f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00d1cdcd3df399c89638be4eea238a11

SHA1
d65e84e1c3967daab07757c664ff1c1d3f328dbf

SHA256
67249dc95a9fbe56dd10753cd875d45a0a778224831753fddfa15b5f131ff9f8

SHA512
4dcf034869656b511a2a87764e21d7d7904474f01e2a6c1ff7d810c392779d4843585e1ad8287bd8b708c38e43e5dea4cbcd6538088dcc6fed143ce540539e04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
f7f4402c6f195e61b9f01992c13ee2fe

SHA1
2cfd5ea5a681c0c508ca78d2218cf45b280f866f

SHA256
ca86e36d30ff74d2e82d8d8228fc04d42402267b5a41fbbeb6e32e38f6df2b2f

SHA512
3a0996f426b2d134b103c7a17c13af9bb5629fbc9ad7daa20e901a0111b2d0c227bd42d69e41e5c0935100f926976455012e1e00ea985ca58ab26ff0199c6283

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_509F9531D34B67093963A7990D344CA7

Filesize
408B

MD5
d397948b32ff7aa89e92f6b2f2ceeeb4

SHA1
bf68e6438b997fd06e85e5085f7c583b72ef371d

SHA256
88011ff65b83b38d8c18c07f6b53edfa9f4f86c677943235edec998d7c1ff05f

SHA512
1ee92038aa884587f99c57978f0c8558b477a4a75f67000ef863a0efc298dac29d43a3b85cdc9ebdc44b144f6d65795033082cd4d9377165682396378774d8e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_5A9FE11E8B6335FDA91281200971E038

Filesize
400B

MD5
2211202b6b623bc70408fa9c978af6d5

SHA1
03aa9122b9c9859409ee0999b1e28923a77031ef

SHA256
6c2933e138a980b9817c50dc42875e5dae0ec2ffaafe7abc7c91fd9429cf9115

SHA512
8bbc01b0b217d916d215e7546a15d95b8a68db40545f337544f5f1a52cc336316a698513fe634476f83507260bfef27a14b1b5363408676a559e86270f038f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe

Filesize
601KB

MD5
77221f5f2a4984872389759b83446a62

SHA1
07c1d4795c8ec52dff45be198abde62c331ded59

SHA256
d67a5911a1cca695a8e3514e1155c6cc8ace4c1a6b96daf563f6ae3134c6d588

SHA512
bd64bd1be5fc366c600c5c88963e368fa82f31c0e692a27e7a7ce8cad0c5c4ac4d41cbba95e98bb5cfe753c3c157c399a2664b4e490068b18b2c7fe27bf10485

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Barnagtigt138.ini

Filesize
358B

MD5
a7171e05f022a1f6a7248e12fbccf748

SHA1
892d0916f107e4353f9b1f8195eae8c7288a9786

SHA256
6752d4faabfb64279eb5dc73418ed24d1d9cdb78a92915984b4c395842768b94

SHA512
c09becb22987b2a7c67e67e36c01ea6f7c874cef759d526eb61e4a59887a65d2b476a7b8efe6db1e3204d14aa3f245cf6b78a890fc20ac2977183b194a1826d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Jested.Tek192

Filesize
361KB

MD5
4ec9cbbd7066419d2ceff69ad3805e01

SHA1
4d197384c43e59aace38749aa8194657c594fe5e

SHA256
129a1f70792363b3359623b465db0dcf9fa3267e36322b04eea5739086d9fcfa

SHA512
86a842c471d1db41bf47040d3a14945c2e1dcda265ac6966defe744628b3f2b6fb92ad5b7a72c38466f9165f5e3163e81e2392f37b7f761862619f55bf436ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Skyggeridsene\Desk120.pro

Filesize
51KB

MD5
13b04bc417af81c854aa09dbb72af9c0

SHA1
98c21022ed8b3a853e941e3198736a00916cda3f

SHA256
fc21d861ddd497bd57bddb3bc2f565212d6851f7b4a59154f0dbb06926f393e6

SHA512
a41c15512047491a90f9adbc46a840a69379f1cddebd8ec7100d2fc2e1fae414ae59dcb226da91c00362f9de1a0f7401e66a1e0f1f5daab7407ee10c76eedc9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Skyggeridsene\Movieize.Hre

Filesize
124KB

MD5
07d9ec3690d68db14a35137e43e76590

SHA1
af3bcb09e8f9a095fc3aa747d73fd0701815d24e

SHA256
491cb797cfde3e8d2bdb9028f29a85f5bb9be1b8758c0b4f30b01655cdbcd14a

SHA512
66225f7b3c8898d93fdcf22b49f1f771dc01673ca240344675dbbc9c8d589e8bf9d57c9dcd6f98dec61df88427230a4213523661cc843bc23d41092057c22db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Skyggeridsene\dialogformerne.jpg

Filesize
20KB

MD5
8a77aa30afbd169c284151b0acf9e1fe

SHA1
8f5a0efd679b65db330eaab529db1bf95a77ae8c

SHA256
63d4e6bc6f0cd4d9703b8e053fc6f178775bb195fede282767a020f83d6f93f4

SHA512
665f237bc99601a4456f59b8cfa5c135856d0487ac23cfddc67e2787cb83b06fdb3b334164a50da07bfc6be12bbb0597793021051f3a18a2aecf6cb5c4f1ea3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Skyggeridsene\gowk.nul

Filesize
147KB

MD5
a5ad600eaeb7b4bd6f7e7bd7e4d382cb

SHA1
e6d7f9dec77f3d6b01e789679d8cbe1d9021e272

SHA256
21db5b3b885475eca98160ea34fbdc0303a54ad36fa41ca71f6dbe5c3570897d

SHA512
a5bc1cb401b08dd1546365a6072aaa4602e1995e39f972cde8c0bc8ee7569480c0f75aeb03106564d8985488850d383702700b2f730c1cbccca18d4234b867c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Skyggeridsene\ornecentral.par

Filesize
190KB

MD5
3f4118f3e2bf1f342eed397c3b00512a

SHA1
03e94f6f726aa9709b677017e212e4a795fb93fa

SHA256
dcf483fcbf601d8e5c57339369d7f79bbafba07e80b39fbe0b9b8e12f067a250

SHA512
621acce677f3ff07f94598fdb48c47f2e77c2d9ab3e8452501664d3c33d599cd9fd5ebb630cdf19bc4793272db36fc122ccc93170d192fab16e3aefba79b54d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2B84.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EWT99E2U.txt

Filesize
156B

MD5
b99c992d7fbe6d61c2b371de6c07be74

SHA1
d96b7b54f1e616eec50fa3da34d5a5b9cc0a594f

SHA256
fcc25361dfe245a42f3717bf98e04daa37a3a5212c9a79db81feb47d60c160dd

SHA512
c5bcc2fab2203bb26b34a1b3414c2f63da4e327b72df52f9109427b3285d82fd9f38ea33e594925a009778b340252c6ee40ff88f846927d580ac7af6d2537838

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TY9ZI1FC.txt

Filesize
309B

MD5
65ecf9e82fcb698ead22e54b0a1fb29a

SHA1
657e408c35d47419ade8ed4495ed64827f334255

SHA256
3149fee3f3d9f2f589cb00078f321ea400280a530454f7672c3c2fa2726acafc

SHA512
b72fad307d40d790f3dd686029809128e2629d2c661d262f8a139997c4f3d04cb1698083c417ae5236fa6c160fa3c9777bfd8d0e96cf64ac2f6538a9f3a31064

Download Submit
C:\Users\Admin\Documents\Emissionsbreve.ini

Filesize
30B

MD5
9c41990255c107edff8d7ed715760746

SHA1
0adb5cd40454e53a34d2df3be971bea9b0e04452

SHA256
997506e1e3a395a57a4db940529da99b73d113bb10469d4e279bfbb8f67640b8

SHA512
d3cf4252752dd96e7fd855404f82ea57ad589f4d69b9df2bb93647657805f347ec65b97afa3fb0ec35e068b8deae31f863ed6c2e18bbe4146b03464301002018

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB04E.tmp\System.dll

Filesize
11KB

MD5
ee260c45e97b62a5e42f17460d406068

SHA1
df35f6300a03c4d3d3bd69752574426296b78695

SHA256
e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27

SHA512
a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

Download Submit
memory/604-153-0x0000000000D00000-0x0000000001D62000-memory.dmp

Filesize
16.4MB

Download
memory/604-99-0x0000000001D70000-0x00000000068CF000-memory.dmp

Filesize
75.4MB

Download
memory/604-152-0x0000000001D70000-0x00000000068CF000-memory.dmp

Filesize
75.4MB

Download
memory/1316-195-0x0000000001D70000-0x00000000068CF000-memory.dmp

Filesize
75.4MB

Download
memory/1316-190-0x0000000000D00000-0x0000000001D62000-memory.dmp

Filesize
16.4MB

Download
memory/1316-154-0x0000000001D70000-0x00000000068CF000-memory.dmp

Filesize
75.4MB

Download
memory/1780-197-0x0000000001D70000-0x00000000068CF000-memory.dmp

Filesize
75.4MB

Download
memory/2440-103-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/2596-18-0x0000000077080000-0x0000000077229000-memory.dmp

Filesize
1.7MB

Download
memory/2596-17-0x0000000077081000-0x0000000077182000-memory.dmp

Filesize
1.0MB

Download
memory/2952-19-0x0000000001D70000-0x00000000068CF000-memory.dmp

Filesize
75.4MB

Download
memory/2952-20-0x0000000077080000-0x0000000077229000-memory.dmp

Filesize
1.7MB

Download
memory/2952-94-0x0000000000D00000-0x0000000001D62000-memory.dmp

Filesize
16.4MB

Download
memory/2952-95-0x0000000000D00000-0x0000000001D62000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads