guloader | f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8

Analysis

max time kernel
19s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe
Size

878KB
MD5

b88ac267dbfca8a81de4439036d12c24
SHA1

c48876d33ad00024eeabbfa39cdc681317e24e76
SHA256

f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8
SHA512

a727b4ff87d55bb8800e8a6566c6c6f9e9fb87eb97d447a484a6396a58ec8defa7d1a5cb1a25f8406f5dbecc44a38a47af13bc3562bf742ffd45b3cf21cfbf7e
SSDEEP

12288:JUjfmwszThqQM5rAUgsupiaz15kDdtZQFxj08SiXIql8Wm4y6JgN/i6x:JUjfmNzTMrIpjkDTZQX04F8bZN6A

Score

10^/10

guloader remcos remotehost discovery downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

196.251.69.85:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-K5GQZM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 4 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/5496-30857-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft
behavioral1/memory/5632-31149-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/6528-30919-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/5496-30802-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/6528-30919-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/5496-30857-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView
behavioral1/memory/5496-30802-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe

Executes dropped EXE 3 IoCs

pid	Process
3112	remcos.exe
2652	remcos.exe
1408	remcos.exe

Loads dropped DLL 4 IoCs

pid	Process
4244	f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe
4244	f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe
3112	remcos.exe
3112	remcos.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-K5GQZM = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-K5GQZM = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
23	drive.google.com
24	drive.google.com
39	drive.google.com
62	drive.google.com

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\quadrigae.jpg	remcos.exe
File opened for modification	C:\Windows\SysWOW64\Disarticulating.ini	remcos.exe
File opened for modification	C:\Windows\SysWOW64\quadrigae.jpg	remcos.exe
File opened for modification	C:\Windows\SysWOW64\quadrigae.jpg	remcos.exe
File opened for modification	C:\Windows\SysWOW64\suppressionens.bin	f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe
File opened for modification	C:\Windows\SysWOW64\quadrigae.jpg	f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe
File opened for modification	C:\Windows\SysWOW64\Disarticulating.ini	f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe
File opened for modification	C:\Windows\SysWOW64\suppressionens.bin	remcos.exe
File opened for modification	C:\Windows\SysWOW64\suppressionens.bin	remcos.exe
File opened for modification	C:\Windows\SysWOW64\suppressionens.bin	remcos.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2632	f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4244	f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe
2632	f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\dyppekogerens.ini	f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe
File opened for modification	C:\Program Files (x86)\dyppekogerens.ini	remcos.exe
File opened for modification	C:\Program Files (x86)\dyppekogerens.ini	remcos.exe
File opened for modification	C:\Program Files (x86)\dyppekogerens.ini	remcos.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\mechanicochemical.jpg	remcos.exe
File opened for modification	C:\Windows\resources\mechanicochemical.jpg	f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4244	f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 2632	4244	f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe	93
PID 4244 wrote to memory of 2632	4244	f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe	93
PID 4244 wrote to memory of 2632	4244	f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe	93
PID 4244 wrote to memory of 2632	4244	f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe	93
PID 2632 wrote to memory of 3112	2632	f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe	101
PID 2632 wrote to memory of 3112	2632	f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe	101
PID 2632 wrote to memory of 3112	2632	f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe	101
PID 2668 wrote to memory of 2652	2668	cmd.exe	102
PID 2668 wrote to memory of 2652	2668	cmd.exe	102
PID 2668 wrote to memory of 2652	2668	cmd.exe	102
PID 3596 wrote to memory of 1408	3596	cmd.exe	103
PID 3596 wrote to memory of 1408	3596	cmd.exe	103
PID 3596 wrote to memory of 1408	3596	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe
"C:\Users\Admin\AppData\Local\Temp\f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\AppData\Local\Temp\f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe
  "C:\Users\Admin\AppData\Local\Temp\f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3112
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      PID:3324
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\ujrawilrscqly"
        5⤵
        
        PID:5344
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\ujrawilrscqly"
        5⤵
        
        PID:5200
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\ujrawilrscqly"
        5⤵
        
        PID:5496
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\edwtptvlgkiqjhhc"
        5⤵
        
        PID:6528
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\hfbeqlgnusadlovgvhve"
        5⤵
        
        PID:6880
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\hfbeqlgnusadlovgvhve"
        5⤵
        
        PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3596
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2668
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
PID:4736
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  PID:1664
- - C:\ProgramData\Remcos\remcos.exe
    C:\ProgramData\Remcos\remcos.exe
    3⤵
    PID:8596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
PID:3652
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  PID:7100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\dyppekogerens.ini

Filesize
44B

MD5
6644a29c4fcb5c51650383ac2625163a

SHA1
75de5a6b73cd9bc47af952ad60679535cf768b27

SHA256
0d9e8205fb30192bec64aa7c4d7a0c9d98e469f6739aa321d3b85da16caa8abc

SHA512
2e6a476b3045a543a322332b2eb9d261002c3a278dc408b9eb5af3e4b136fe1b783c3091ce5edaaa7f3c8d2bffab714408bb23ae2e135cd034e1ff02ef36302a

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
878KB

MD5
b88ac267dbfca8a81de4439036d12c24

SHA1
c48876d33ad00024eeabbfa39cdc681317e24e76

SHA256
f0a2e9f3fc131d22c3d7a03318377de60416b39f2c1ecd6533a5aeaa115030b8

SHA512
a727b4ff87d55bb8800e8a6566c6c6f9e9fb87eb97d447a484a6396a58ec8defa7d1a5cb1a25f8406f5dbecc44a38a47af13bc3562bf742ffd45b3cf21cfbf7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8D00.tmp\System.dll

Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Attakerede.pro

Filesize
3.2MB

MD5
24c453c82258126ae46700880f6cceef

SHA1
562fc29d0cd6a4853a5cf692d9d83839576f5aeb

SHA256
1874c5957744cf91e2cd38898b6eb27d89d4f20d2d9cb96c6bff31e9d2518d16

SHA512
e160eaf58106979143ff96d61a1f74808ce3bd75de510b60299ed83e2cad473267c548e835700bff7f6a5f5bff53ae1fa570cdccf5b18883b71db7aa0db27c69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Emmetrope.Klo

Filesize
92KB

MD5
475f2fbd583ddb7c617e068f14d964d9

SHA1
ce5eb262ebda515d09ad6c662eb9c98cd524f0b8

SHA256
8a98c4c990992da6f37f8a2f06a1c210e285440bc1d2ed9c901dda51ce4f6ab3

SHA512
a102ed454369a04f4a60073b5e378090bc36f7f83969fd768b11b2e223f0a35527fc2088911997f4be4ea8a2ceeeb666b0a552daf1dfbc499378e7ce9943e971

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Nonnumeral.Sbe

Filesize
384KB

MD5
d667537e934dfc3eed0e69c453c7fffa

SHA1
622243cba2808dbda969a9aca907d5bff45f17f7

SHA256
e5afbbf693334a459581beb79e7b7d5b7d202626a4917fb6df45287f3162f623

SHA512
8108c678c426d34584f5ab7e7f8f80a22f700e6521cd33954dad1d8fd8c78711c335c7f22a053b3cc078c920bd2a249e6ee805bc3c204152e71e72675d0b0dbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Pavonazzetto.mis

Filesize
1.1MB

MD5
7d060d3ad332eff7eabf0915f50b3a8d

SHA1
9352a2b1e485ada11fc53c755549dc36f1ddf949

SHA256
923908290b51a53a2be4ebd9935c675162bf60f82004a3a4eebd1da1652c998d

SHA512
8dab095fec80d47c3e3f5b2b78dc5fc704c0993bd0da9a42b4b2a2c9dea36b72a93d1de67ad060a66b527d714fb4454b972ee95e7e623ef3cd9b006788c645b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Smreolien33.dec

Filesize
2.0MB

MD5
1690c9a03bb7c977ac57b32b709bf714

SHA1
88ba17befa4004f4601fe627c4b48d3055e3c6ed

SHA256
296a1556b6bf8d00f8d7f00741f9a510a5123b05d738379fddc26357e29a3244

SHA512
1efa2243c9bf866aba6e1d12e0c6c620a478eb82ae8bb52b1f679d9cde154b5dc2c278aeb702b773f624cd132c91c557c71be8f384b8301fa03adbf417613ec0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Synthesizes33.txt

Filesize
504B

MD5
87e7fee841319934f8854a753077879b

SHA1
0e5e732e212d54e71808e5c1c921c4459b597193

SHA256
82b873d4137f2d2a4aceedcc5ad6c9fef39460308cbbce54f37529cdfcc1ba57

SHA512
05c2aa2d6468306132c806e585eb9ba9f09554c53638e596b97b952fff6b0324c4012a063e513437e881656aaab1043c530976acd1eb79e00ac4d6dbf1b1cd16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Torenia\tmh.ini

Filesize
295B

MD5
09f74b91ee389deb1956fa911f819e9c

SHA1
693f9f96af012962ff6d4645fe38e294c8c5316b

SHA256
86e7165b8c377122d41f1833f6d2dd5c38031b2de6ff463d5b51969585f04998

SHA512
c74cca6e1a151e4f73c998d13caa908d8e10ee8bcaaa68946f69cc7c156c5a92994e3b3d680f4c78ade9757e575c6e23af37a815dda7baac2be81bcf49af4c1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Torenia\tralatitiously.ini

Filesize
280B

MD5
68b713a216781101284300debf730cd6

SHA1
b362ec481fe13a6054cd0cef698b4d316cfb7ebe

SHA256
83a278a60e3aed10ddcff0ea52c7315df48ccd3119d39a0dd218ce1cde813691

SHA512
ad24849ec1f621529f8e807de0610d03a23504f0d7eba759bc1a8cb473002c3016c8cfed7afcbdce3645c9a6f4e4fe2261f40fdbb35a44395404d74c03e8da0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Torenia\trundle.ini

Filesize
638B

MD5
a1aa57bb9f555c4a095d0c817435a82e

SHA1
cd4933a29edf8f72af8f32586c2d1dfbc1ff575d

SHA256
6219fb47744d71837d70c9bc31deb2ce8120c707a7888f50fcf558b0c6bc96e7

SHA512
179122c07e04914b30e4da14dbc5182e2f7dfdaaa678645a2874ea8256f66aef30caaa199c65d4816b9e84f05279f37b7a8ce3cb99a82b3eaf59297039961885

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\Torenia\tumleplads.ini

Filesize
279B

MD5
5e6a6b65956a1f5e1f65b9419a4827d0

SHA1
53f85675dacfed6393c04438a533fccfdb105075

SHA256
e86781a1f0b5d4ca96368bd63bc0807d942e1c41d8903d685659a56d2c7744aa

SHA512
ba7a3dd0839177cb7723d61de8bd669d6126222e03475cefff4c4de3f3f24022c34bc1c470fe5983e5a3f07c920d6fe1010e2adecd658bd22105692528ea327d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\bugloss.rai

Filesize
3.5MB

MD5
7a8f61bcccc6e42fac7f5e9b3810ba5c

SHA1
927544bd328d3db39c96f7cca792758e446ac8ad

SHA256
ba1b5576489f8324575def8bc86091ebdde33011b3bd4d09876393fdbcc9e30e

SHA512
f0049f39044c21b863615252d0b70d17fb45483bc3a8eda0fb4ab353a6d416761a354705587aeee0dc66e802334babf1d364a1ac55e1f54486ae485f1ecd6622

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\censorkorpsenes.ini

Filesize
305B

MD5
a4a2aa48417985844c196b3cd5e2b70d

SHA1
1dbddbd73130a1a5ea6f281c990bdc30801739d6

SHA256
40fc272178b28026f17c2d506684a7c7c5ae3c3d35cc8aee1aaf0d3b8bdd8782

SHA512
b26f890c7501a3f348a40c9365659cf57c10326d9a06d503468df5a5529237d06a2e314734e65238b318a7a74b85107fdd2aa339eb63f5368aed7b36208172cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\coralliferous.ini

Filesize
320B

MD5
18f56af1efeb71430fbb3beef59cc50c

SHA1
0877c338f90045ca71257813b30a4e336d529f4b

SHA256
66b83566825b4a557cc6b276321069c7bc9821963ec1c87d09b61a1c9357e1d0

SHA512
e9f643d19a1ac2ecefb6c200c37794310e85647fc8382903000b367d1988f0a56800e2826488b723cba2c100be145cbddd20efd91bc8ef7e212e1b55cb701cdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\stivnedes.ini

Filesize
555B

MD5
18a67a1fae480cd33bff380eac1b72a4

SHA1
8b84634c187fd6f31905c86cb7495d4d3f70e71e

SHA256
370f70c21de89b48f34e89b71c96a0a32fab7b67437fa3918a4ce312ddd63a46

SHA512
09588a194a267bc6a8246d1d836546e29de75083181803442fe29e1a18ca98be1439ea3a14e0ca745beb4798cf4670dca10905fe33aefb6a4ad7180e6bf154c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fibbed\Klassiske\sulfamyl.ini

Filesize
456B

MD5
a2ff4b479c512364f2902c1849882995

SHA1
7337c45a5c9253682d5faa5a37bcbb5390f84774

SHA256
2ed67e96c1cda469b2cf2c7b7ebecf35c21338c72208b6c28927216301d7449c

SHA512
8eec2c09e0079dce130443c562c30e2eb2decd5e06ac9517414b1d256f8a8ee47572a73da32bff54c9d3114a171bb9a91fe3d8631171bc8d1ba35116ee7ea0be

Download Submit
memory/2632-297-0x0000000077988000-0x0000000077989000-memory.dmp

Filesize
4KB

Download
memory/2632-322-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2632-326-0x0000000077901000-0x0000000077A21000-memory.dmp

Filesize
1.1MB

Download
memory/2632-313-0x0000000001700000-0x0000000002FC6000-memory.dmp

Filesize
24.8MB

Download
memory/2632-309-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2632-308-0x0000000001700000-0x0000000002FC6000-memory.dmp

Filesize
24.8MB

Download
memory/2632-298-0x00000000779A5000-0x00000000779A6000-memory.dmp

Filesize
4KB

Download
memory/3324-7414-0x0000000001700000-0x0000000002FC6000-memory.dmp

Filesize
24.8MB

Download
memory/3324-168651-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3324-93227-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3324-64886-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3324-108151-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3324-21169-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3324-28844-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3324-29215-0x0000000001700000-0x0000000002FC6000-memory.dmp

Filesize
24.8MB

Download
memory/3324-51185-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3324-34502-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3324-183384-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3324-77926-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3324-153669-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3324-139782-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3324-124051-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3324-32847-0x0000000033C60000-0x0000000033C79000-memory.dmp

Filesize
100KB

Download
memory/3324-32855-0x0000000033C60000-0x0000000033C79000-memory.dmp

Filesize
100KB

Download
memory/3324-32854-0x0000000033C60000-0x0000000033C79000-memory.dmp

Filesize
100KB

Download
memory/4244-296-0x00000000033C0000-0x0000000004C86000-memory.dmp

Filesize
24.8MB

Download
memory/4244-292-0x00000000033C0000-0x0000000004C86000-memory.dmp

Filesize
24.8MB

Download
memory/4244-293-0x0000000077901000-0x0000000077A21000-memory.dmp

Filesize
1.1MB

Download
memory/4244-294-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/5496-30802-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/5496-30857-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/5632-31078-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5632-31148-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5632-31149-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/6528-30901-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/6528-30918-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/6528-30919-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/8596-77296-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/8596-76943-0x0000000001700000-0x0000000002FC6000-memory.dmp

Filesize
24.8MB

Download
memory/8596-66638-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/8596-53298-0x0000000001700000-0x0000000002FC6000-memory.dmp

Filesize
24.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads