guloader | 2edffaa16ba62436a4744e31d76dfaba8748534e4d6c752ca5b11949c25a4a7a

Analysis

max time kernel
19s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payroll List_pdf.bat.exe
Size

852KB
MD5

55c905a0ec317664371b8ae3962d90cc
SHA1

1cc73aeb68495a320d14b23c720d47167989b214
SHA256

2edffaa16ba62436a4744e31d76dfaba8748534e4d6c752ca5b11949c25a4a7a
SHA512

289368437de4ee377c7c63bf4ebcc4eb0cf1555b2dc780fa14638b06855322a9aa50527e02d3444f3886d6264bb0a2e3c384520721145c2570647f90ead16227
SSDEEP

12288:JUjfTWyZA97KB+qmoSMfuiJp9vj/Xd53WiLwfheEAql6oIkJ/0DrQ:JUjfTsKB+a/f3Z53tLMGtQkQ

Score

10^/10

guloader remcos remotehost discovery downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

196.251.86.105:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-MJDICZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 4 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/7460-52970-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft
behavioral2/memory/4664-53429-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1680-53347-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/7460-52986-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1680-53347-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/7460-52970-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView
behavioral2/memory/7460-52986-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	Payroll List_pdf.bat.exe

Executes dropped EXE 3 IoCs

pid	Process
3580	remcos.exe
4872	remcos.exe
5116	remcos.exe

Loads dropped DLL 4 IoCs

pid	Process
6064	Payroll List_pdf.bat.exe
6064	Payroll List_pdf.bat.exe
5116	remcos.exe
5116	remcos.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-MJDICZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	Payroll List_pdf.bat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-MJDICZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	Payroll List_pdf.bat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
24	drive.google.com
25	drive.google.com
50	drive.google.com
62	drive.google.com

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\suppressionens.bin	remcos.exe
File opened for modification	C:\Windows\SysWOW64\quadrigae.jpg	remcos.exe
File opened for modification	C:\Windows\SysWOW64\Disarticulating.ini	remcos.exe
File opened for modification	C:\Windows\SysWOW64\suppressionens.bin	Payroll List_pdf.bat.exe
File opened for modification	C:\Windows\SysWOW64\suppressionens.bin	remcos.exe
File opened for modification	C:\Windows\SysWOW64\quadrigae.jpg	remcos.exe
File opened for modification	C:\Windows\SysWOW64\suppressionens.bin	remcos.exe
File opened for modification	C:\Windows\SysWOW64\quadrigae.jpg	Payroll List_pdf.bat.exe
File opened for modification	C:\Windows\SysWOW64\Disarticulating.ini	Payroll List_pdf.bat.exe
File opened for modification	C:\Windows\SysWOW64\quadrigae.jpg	remcos.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4496	Payroll List_pdf.bat.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
6064	Payroll List_pdf.bat.exe
4496	Payroll List_pdf.bat.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\dyppekogerens.ini	remcos.exe
File opened for modification	C:\Program Files (x86)\dyppekogerens.ini	remcos.exe
File opened for modification	C:\Program Files (x86)\dyppekogerens.ini	Payroll List_pdf.bat.exe
File opened for modification	C:\Program Files (x86)\dyppekogerens.ini	remcos.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\mechanicochemical.jpg	Payroll List_pdf.bat.exe
File opened for modification	C:\Windows\resources\mechanicochemical.jpg	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payroll List_pdf.bat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payroll List_pdf.bat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
6064	Payroll List_pdf.bat.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 6064 wrote to memory of 4496	6064	Payroll List_pdf.bat.exe	92
PID 6064 wrote to memory of 4496	6064	Payroll List_pdf.bat.exe	92
PID 6064 wrote to memory of 4496	6064	Payroll List_pdf.bat.exe	92
PID 6064 wrote to memory of 4496	6064	Payroll List_pdf.bat.exe	92
PID 4496 wrote to memory of 3580	4496	Payroll List_pdf.bat.exe	100
PID 4496 wrote to memory of 3580	4496	Payroll List_pdf.bat.exe	100
PID 4496 wrote to memory of 3580	4496	Payroll List_pdf.bat.exe	100
PID 1348 wrote to memory of 4872	1348	cmd.exe	101
PID 1348 wrote to memory of 4872	1348	cmd.exe	101
PID 1348 wrote to memory of 4872	1348	cmd.exe	101
PID 544 wrote to memory of 5116	544	cmd.exe	102
PID 544 wrote to memory of 5116	544	cmd.exe	102
PID 544 wrote to memory of 5116	544	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\Payroll List_pdf.bat.exe
"C:\Users\Admin\AppData\Local\Temp\Payroll List_pdf.bat.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:6064
- C:\Users\Admin\AppData\Local\Temp\Payroll List_pdf.bat.exe
  "C:\Users\Admin\AppData\Local\Temp\Payroll List_pdf.bat.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1348
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:544
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:5116
- - C:\ProgramData\Remcos\remcos.exe
    C:\ProgramData\Remcos\remcos.exe
    3⤵
    PID:3856
  - - C:\Windows\SysWOW64\recover.exe
      C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\ozlzklfgbhjzspttvyrzstaj"
      4⤵
      PID:7460
  - - C:\Windows\SysWOW64\recover.exe
      C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\ytzjkdyzppbdcvpxejebvyuabnwi"
      4⤵
      PID:10524
  - - C:\Windows\SysWOW64\recover.exe
      C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\ytzjkdyzppbdcvpxejebvyuabnwi"
      4⤵
      PID:6272
  - - C:\Windows\SysWOW64\recover.exe
      C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\ytzjkdyzppbdcvpxejebvyuabnwi"
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\recover.exe
      C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\aveclwjbdxtqfcdbvtzuglhjkcnrbum"
      4⤵
      PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
PID:7964
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  PID:11100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
PID:10976
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  PID:7332
- - C:\ProgramData\Remcos\remcos.exe
    C:\ProgramData\Remcos\remcos.exe
    3⤵
    PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\dyppekogerens.ini

Filesize
44B

MD5
6644a29c4fcb5c51650383ac2625163a

SHA1
75de5a6b73cd9bc47af952ad60679535cf768b27

SHA256
0d9e8205fb30192bec64aa7c4d7a0c9d98e469f6739aa321d3b85da16caa8abc

SHA512
2e6a476b3045a543a322332b2eb9d261002c3a278dc408b9eb5af3e4b136fe1b783c3091ce5edaaa7f3c8d2bffab714408bb23ae2e135cd034e1ff02ef36302a

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
852KB

MD5
55c905a0ec317664371b8ae3962d90cc

SHA1
1cc73aeb68495a320d14b23c720d47167989b214

SHA256
2edffaa16ba62436a4744e31d76dfaba8748534e4d6c752ca5b11949c25a4a7a

SHA512
289368437de4ee377c7c63bf4ebcc4eb0cf1555b2dc780fa14638b06855322a9aa50527e02d3444f3886d6264bb0a2e3c384520721145c2570647f90ead16227

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso77B2.tmp\System.dll

Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Attakerede.pro

Filesize
3.2MB

MD5
24c453c82258126ae46700880f6cceef

SHA1
562fc29d0cd6a4853a5cf692d9d83839576f5aeb

SHA256
1874c5957744cf91e2cd38898b6eb27d89d4f20d2d9cb96c6bff31e9d2518d16

SHA512
e160eaf58106979143ff96d61a1f74808ce3bd75de510b60299ed83e2cad473267c548e835700bff7f6a5f5bff53ae1fa570cdccf5b18883b71db7aa0db27c69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Hvirvelbevgelsernes.Fly

Filesize
100KB

MD5
178131e7517c1ef8da7cf2751854b15a

SHA1
f75de16d91bbcd359faebf8a885fb4e2a3f6e42e

SHA256
4f8ab7d231ba978db40606e97805c4664c219b9514c7d88910880220b9674689

SHA512
4eb63188b09a03dd7d04c7565ec742a1a0d5a3a54ec598bccc125914289ead8cbf8ebdbac7f37bba30c68a3b1668079111f52ec4a260e823cdd01e06362616af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Pavonazzetto.mis

Filesize
64KB

MD5
56321564841467550c0dba296e868f66

SHA1
967da7b3824940b430e9ba70bdcf2d15b948166f

SHA256
b642b5fa635217cee69bde974e91ee6616807c071e233632d0baaf8d718d7758

SHA512
9dbb98b4c9aafb66c76ea873bb53c1167f6b1ecc0db0a84a96152a8927f988782d170ef6d22668e62d3d1e839cc3484bc3fffec24f47f82ba4125246d6762fd8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Pavonazzetto.mis

Filesize
1.1MB

MD5
7d060d3ad332eff7eabf0915f50b3a8d

SHA1
9352a2b1e485ada11fc53c755549dc36f1ddf949

SHA256
923908290b51a53a2be4ebd9935c675162bf60f82004a3a4eebd1da1652c998d

SHA512
8dab095fec80d47c3e3f5b2b78dc5fc704c0993bd0da9a42b4b2a2c9dea36b72a93d1de67ad060a66b527d714fb4454b972ee95e7e623ef3cd9b006788c645b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Smreolien33.dec

Filesize
192KB

MD5
dc8142cafd51cff94b9aad734e2f36e4

SHA1
bcd461f517630632aa3e1b864a5c9167c9db96cd

SHA256
778696c3cb7b0ca3700a238eae31225c95df835ae371bc3af5b5c175bcaa5e2e

SHA512
4df970e594f0899e73e931cde4a17b3fbd647615eeff97ac934913b1d4ab41af3a86ce8c1e2b7e44ad89c68261b9a093104f497991294e63d2100fc63f4376ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Smreolien33.dec

Filesize
2.0MB

MD5
1690c9a03bb7c977ac57b32b709bf714

SHA1
88ba17befa4004f4601fe627c4b48d3055e3c6ed

SHA256
296a1556b6bf8d00f8d7f00741f9a510a5123b05d738379fddc26357e29a3244

SHA512
1efa2243c9bf866aba6e1d12e0c6c620a478eb82ae8bb52b1f679d9cde154b5dc2c278aeb702b773f624cd132c91c557c71be8f384b8301fa03adbf417613ec0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Synthesizes33.txt

Filesize
504B

MD5
87e7fee841319934f8854a753077879b

SHA1
0e5e732e212d54e71808e5c1c921c4459b597193

SHA256
82b873d4137f2d2a4aceedcc5ad6c9fef39460308cbbce54f37529cdfcc1ba57

SHA512
05c2aa2d6468306132c806e585eb9ba9f09554c53638e596b97b952fff6b0324c4012a063e513437e881656aaab1043c530976acd1eb79e00ac4d6dbf1b1cd16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\alcantara.Snd

Filesize
331KB

MD5
b835e1265e0cd50ac1b7b020652fb937

SHA1
5139fb07706955b38a7c2c3cca19d20762b1cf12

SHA256
830e41fb9ef6c164cbbda6c51939cfd186479f25ab5c75539f410ee212b3dfc8

SHA512
e44cb462704235662ab7986bd09de0ac19aa35ff712c47e59de8ff8e027e902573150779c5e8c07031e1f2ee4006debcbf77f9f32cfbf66334df12dab00ac4f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\bugloss.rai

Filesize
3.5MB

MD5
7a8f61bcccc6e42fac7f5e9b3810ba5c

SHA1
927544bd328d3db39c96f7cca792758e446ac8ad

SHA256
ba1b5576489f8324575def8bc86091ebdde33011b3bd4d09876393fdbcc9e30e

SHA512
f0049f39044c21b863615252d0b70d17fb45483bc3a8eda0fb4ab353a6d416761a354705587aeee0dc66e802334babf1d364a1ac55e1f54486ae485f1ecd6622

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\censorkorpsenes.ini

Filesize
305B

MD5
a4a2aa48417985844c196b3cd5e2b70d

SHA1
1dbddbd73130a1a5ea6f281c990bdc30801739d6

SHA256
40fc272178b28026f17c2d506684a7c7c5ae3c3d35cc8aee1aaf0d3b8bdd8782

SHA512
b26f890c7501a3f348a40c9365659cf57c10326d9a06d503468df5a5529237d06a2e314734e65238b318a7a74b85107fdd2aa339eb63f5368aed7b36208172cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\coralliferous.ini

Filesize
320B

MD5
18f56af1efeb71430fbb3beef59cc50c

SHA1
0877c338f90045ca71257813b30a4e336d529f4b

SHA256
66b83566825b4a557cc6b276321069c7bc9821963ec1c87d09b61a1c9357e1d0

SHA512
e9f643d19a1ac2ecefb6c200c37794310e85647fc8382903000b367d1988f0a56800e2826488b723cba2c100be145cbddd20efd91bc8ef7e212e1b55cb701cdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\stivnedes.ini

Filesize
555B

MD5
18a67a1fae480cd33bff380eac1b72a4

SHA1
8b84634c187fd6f31905c86cb7495d4d3f70e71e

SHA256
370f70c21de89b48f34e89b71c96a0a32fab7b67437fa3918a4ce312ddd63a46

SHA512
09588a194a267bc6a8246d1d836546e29de75083181803442fe29e1a18ca98be1439ea3a14e0ca745beb4798cf4670dca10905fe33aefb6a4ad7180e6bf154c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\sulfamyl.ini

Filesize
456B

MD5
a2ff4b479c512364f2902c1849882995

SHA1
7337c45a5c9253682d5faa5a37bcbb5390f84774

SHA256
2ed67e96c1cda469b2cf2c7b7ebecf35c21338c72208b6c28927216301d7449c

SHA512
8eec2c09e0079dce130443c562c30e2eb2decd5e06ac9517414b1d256f8a8ee47572a73da32bff54c9d3114a171bb9a91fe3d8631171bc8d1ba35116ee7ea0be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\tmh.ini

Filesize
295B

MD5
09f74b91ee389deb1956fa911f819e9c

SHA1
693f9f96af012962ff6d4645fe38e294c8c5316b

SHA256
86e7165b8c377122d41f1833f6d2dd5c38031b2de6ff463d5b51969585f04998

SHA512
c74cca6e1a151e4f73c998d13caa908d8e10ee8bcaaa68946f69cc7c156c5a92994e3b3d680f4c78ade9757e575c6e23af37a815dda7baac2be81bcf49af4c1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\tralatitiously.ini

Filesize
280B

MD5
68b713a216781101284300debf730cd6

SHA1
b362ec481fe13a6054cd0cef698b4d316cfb7ebe

SHA256
83a278a60e3aed10ddcff0ea52c7315df48ccd3119d39a0dd218ce1cde813691

SHA512
ad24849ec1f621529f8e807de0610d03a23504f0d7eba759bc1a8cb473002c3016c8cfed7afcbdce3645c9a6f4e4fe2261f40fdbb35a44395404d74c03e8da0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\trundle.ini

Filesize
638B

MD5
a1aa57bb9f555c4a095d0c817435a82e

SHA1
cd4933a29edf8f72af8f32586c2d1dfbc1ff575d

SHA256
6219fb47744d71837d70c9bc31deb2ce8120c707a7888f50fcf558b0c6bc96e7

SHA512
179122c07e04914b30e4da14dbc5182e2f7dfdaaa678645a2874ea8256f66aef30caaa199c65d4816b9e84f05279f37b7a8ce3cb99a82b3eaf59297039961885

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\tumleplads.ini

Filesize
279B

MD5
5e6a6b65956a1f5e1f65b9419a4827d0

SHA1
53f85675dacfed6393c04438a533fccfdb105075

SHA256
e86781a1f0b5d4ca96368bd63bc0807d942e1c41d8903d685659a56d2c7744aa

SHA512
ba7a3dd0839177cb7723d61de8bd669d6126222e03475cefff4c4de3f3f24022c34bc1c470fe5983e5a3f07c920d6fe1010e2adecd658bd22105692528ea327d

Download Submit
memory/1680-53268-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1680-53347-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1680-53317-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2480-73937-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2480-75962-0x0000000001700000-0x0000000002D44000-memory.dmp

Filesize
22.3MB

Download
memory/2480-76100-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3856-50693-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3856-83911-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3856-182699-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3856-171320-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3856-157077-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3856-28607-0x0000000001700000-0x0000000002D44000-memory.dmp

Filesize
22.3MB

Download
memory/3856-45779-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3856-142746-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3856-51560-0x0000000001700000-0x0000000002D44000-memory.dmp

Filesize
22.3MB

Download
memory/3856-128026-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3856-115260-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3856-99879-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3856-72542-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3856-58290-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3856-54915-0x0000000033F20000-0x0000000033F39000-memory.dmp

Filesize
100KB

Download
memory/3856-54916-0x0000000033F20000-0x0000000033F39000-memory.dmp

Filesize
100KB

Download
memory/3856-54912-0x0000000033F20000-0x0000000033F39000-memory.dmp

Filesize
100KB

Download
memory/4496-321-0x0000000001700000-0x0000000002D44000-memory.dmp

Filesize
22.3MB

Download
memory/4496-308-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/4496-298-0x0000000077765000-0x0000000077766000-memory.dmp

Filesize
4KB

Download
memory/4496-312-0x0000000001700000-0x0000000002D44000-memory.dmp

Filesize
22.3MB

Download
memory/4496-297-0x0000000077748000-0x0000000077749000-memory.dmp

Filesize
4KB

Download
memory/4496-328-0x00000000776C1000-0x00000000777E1000-memory.dmp

Filesize
1.1MB

Download
memory/4496-324-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/4664-53428-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4664-53429-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4664-53427-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/6064-294-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/6064-292-0x0000000003280000-0x00000000048C4000-memory.dmp

Filesize
22.3MB

Download
memory/6064-293-0x00000000776C1000-0x00000000777E1000-memory.dmp

Filesize
1.1MB

Download
memory/6064-296-0x0000000003280000-0x00000000048C4000-memory.dmp

Filesize
22.3MB

Download
memory/7460-52986-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/7460-52970-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads