guloader | a31907ef7aa827efdcfc036f0c4640b6a6bbfdd1e0f6a3a63056ce6c0d73c3b6

Analysis

max time kernel
14s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

payee Advice Dated 07-April-2025_pdf.exe
Size

583KB
MD5

eca2ccd75638470aa004394ba0ce7556
SHA1

2c38dd2e0a3dae6b40fb5381b8cbe6a9375271ff
SHA256

a31907ef7aa827efdcfc036f0c4640b6a6bbfdd1e0f6a3a63056ce6c0d73c3b6
SHA512

1589c1ef56aff417ecb254b3f0b9aa33cd6f846c34e7b6628c017a16b4c1d59833b17c009086351005f2a47becc68c4a18a9c6faccdcc7c88d6dadb2fad590ec
SSDEEP

12288:ctoOoZHdIAQR5HyY2Q5XjxjLGYknelYJArEhpLBC/nlVUAV2M3j9RXRnX2o7:NOojcL2Q5Xj1LvkneqJ+4BC/lZV20HXn

Score

10^/10

guloader remcos remotehost discovery downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

196.251.86.105:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-MJDICZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 4 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/1616-210-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft
behavioral1/memory/3144-216-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1616-209-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft
behavioral1/memory/1352-219-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/3144-216-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1616-210-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView
behavioral1/memory/1616-209-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	payee Advice Dated 07-April-2025_pdf.exe

Executes dropped EXE 3 IoCs

pid	Process
1592	remcos.exe
3456	remcos.exe
3032	remcos.exe

Loads dropped DLL 4 IoCs

pid	Process
2800	payee Advice Dated 07-April-2025_pdf.exe
2800	payee Advice Dated 07-April-2025_pdf.exe
1592	remcos.exe
1592	remcos.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-MJDICZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	payee Advice Dated 07-April-2025_pdf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-MJDICZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	payee Advice Dated 07-April-2025_pdf.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
22	drive.google.com
23	drive.google.com
45	drive.google.com
66	drive.google.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\udkaaring.exe	payee Advice Dated 07-April-2025_pdf.exe
File opened for modification	C:\Windows\SysWOW64\udkaaring.exe	remcos.exe
File opened for modification	C:\Windows\SysWOW64\udkaaring.exe	remcos.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1932	payee Advice Dated 07-April-2025_pdf.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2800	payee Advice Dated 07-April-2025_pdf.exe
1932	payee Advice Dated 07-April-2025_pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	payee Advice Dated 07-April-2025_pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	payee Advice Dated 07-April-2025_pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2800	payee Advice Dated 07-April-2025_pdf.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 1932	2800	payee Advice Dated 07-April-2025_pdf.exe	89
PID 2800 wrote to memory of 1932	2800	payee Advice Dated 07-April-2025_pdf.exe	89
PID 2800 wrote to memory of 1932	2800	payee Advice Dated 07-April-2025_pdf.exe	89
PID 2800 wrote to memory of 1932	2800	payee Advice Dated 07-April-2025_pdf.exe	89
PID 1932 wrote to memory of 1592	1932	payee Advice Dated 07-April-2025_pdf.exe	99
PID 1932 wrote to memory of 1592	1932	payee Advice Dated 07-April-2025_pdf.exe	99
PID 1932 wrote to memory of 1592	1932	payee Advice Dated 07-April-2025_pdf.exe	99
PID 768 wrote to memory of 3456	768	cmd.exe	100
PID 768 wrote to memory of 3456	768	cmd.exe	100
PID 768 wrote to memory of 3456	768	cmd.exe	100
PID 2124 wrote to memory of 3032	2124	cmd.exe	103
PID 2124 wrote to memory of 3032	2124	cmd.exe	103
PID 2124 wrote to memory of 3032	2124	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\payee Advice Dated 07-April-2025_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\payee Advice Dated 07-April-2025_pdf.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Users\Admin\AppData\Local\Temp\payee Advice Dated 07-April-2025_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\payee Advice Dated 07-April-2025_pdf.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1592
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      PID:2688
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\zdieij"
        5⤵
        
        PID:1616
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\jxnpibakl"
        5⤵
        
        PID:3144
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\uzshjuldzrtb"
        5⤵
        
        PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:768
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2124
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
PID:1496
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
PID:1688
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  PID:2228
- - C:\ProgramData\Remcos\remcos.exe
    C:\ProgramData\Remcos\remcos.exe
    3⤵
    PID:2736

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe

Filesize
583KB

MD5
eca2ccd75638470aa004394ba0ce7556

SHA1
2c38dd2e0a3dae6b40fb5381b8cbe6a9375271ff

SHA256
a31907ef7aa827efdcfc036f0c4640b6a6bbfdd1e0f6a3a63056ce6c0d73c3b6

SHA512
1589c1ef56aff417ecb254b3f0b9aa33cd6f846c34e7b6628c017a16b4c1d59833b17c009086351005f2a47becc68c4a18a9c6faccdcc7c88d6dadb2fad590ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
da958cd1a716966d49777581e394bfd3

SHA1
0ddb575aff46e9d828fea31b3f52e62863717dc8

SHA256
7dcdb69e7007f681c25157d44ccb3d7d7b4b774695f217d0297a9c659278cad5

SHA512
36c7836e7bc7db5dfd2119d41b9707bcdd23bf8e4032b98d0413898126e5c85e32d667c3072cb712b2b6262c04d0d336a5c443e5402c94d7a7e72c2bc8b042a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_D1B2C3FDC4CC18AB2F25B2BB5E2D4A02

Filesize
471B

MD5
c0dbbcb8c13063973855d591e2be11c7

SHA1
bb47a4c34e07a04bffe7bd280dd09dd30b00f8d9

SHA256
843f9d392b82b9a0a936e8f68f67ab2381f065d552e9a00aa0bc1f8a96d571d9

SHA512
2bed576ea4466e8082c7aa9ee34f234832ac54c29eaca135226a6cad19fc3f1ebbfde407431184e4042459da36486b3d6718c83e101c2bc6bdfc8f2aff98e5a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_767BFDABB86D2457BE4D67797F01BA7C

Filesize
471B

MD5
aa9b4ed22115231f67bbd9d9e53c3a35

SHA1
b540202305cd2e6621117b086b52c51284134f7f

SHA256
a9e6dfa2d356bed45a658f738669620cfcf06af8f605a12b39116727acf0c0dd

SHA512
8facb334642b218722b3f8ea1ea984ccf50e0eb5443af8edbbb1b3a0fc7aa8e92b4717a45907c34f24e4a361e5292d40b84237dd0523f7f0a2c9c29eb113dbb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
556e18af12e5612a52242b51c1b7232f

SHA1
b05651080d4c5dfcd103930c1a8f55267135e4bc

SHA256
d7cab6f7e5587397f8cfd1797f50e064722537c05c94101bf7a2d448b6c8ce4d

SHA512
3252d9833b18028219eb950c2dadbdeb80349093fddb2ccc365e28c9073c1b7574956f0584caac04f33533d69224bdb5f1f05738721cd8df101c6c94646779cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_D1B2C3FDC4CC18AB2F25B2BB5E2D4A02

Filesize
402B

MD5
a4ea35da28b1130cad8a89f48d4e93a5

SHA1
ba52fa383c65fceedea086943d7fa4d2d4adf4c2

SHA256
38f029fcb7dfff416a8a6f3e0497aff4bab9c2ce38c067aae5ec4c3309f21675

SHA512
1e20cf6d5754474aae7f9663262efa9ebcc7e346b50b8a861ebe6faecb690cc150ed1bdcbe520ecd778764bab7e5761b34d5154067a5181436b0c084a503dc51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_767BFDABB86D2457BE4D67797F01BA7C

Filesize
406B

MD5
7f64ff0a112a48a1261e7c70784ed789

SHA1
1af9137ab1497c092afd04cfddf115b6cc216b8f

SHA256
ae8bdf7f45f8dea0183c02845640da69bd8232910207254e2b0a411cce8844cd

SHA512
4bf6a31abe053f2113a4ffaccea0c187bc69ad192934f2a46e44d20e236fd8a315fd0a23aac8b60fd6429970a3a25d8f4f5c32a68dcdb588ac45ae7303c0217b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj8F71.tmp\System.dll

Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
C:\Users\Admin\maanedag\Expediate\Babylonia\nontextural.txt

Filesize
518B

MD5
48676db2c51596fd2763c870870cf76e

SHA1
41f867588c7c757522b2ddffacecf58f1e8afb62

SHA256
3ff36c24fb95fba85d10c2f36b68f4d2aa280a21039f8f6ec0ff79fda8d1a426

SHA512
1ef18171778c08ea48a3fad1abee987c72ee9985960e8bc1b2e2688cc6b192fe0c3bf10eed6543d6befb6a7379368070fa0aed5037845ab984c2c56453f1afc5

Download Submit
C:\Users\Admin\maanedag\Expediate\Babylonia\outsides.ini

Filesize
382B

MD5
a84573b0d29196243e70dab7fe191d50

SHA1
961caa5f6a205e260c8fc286a9d5fe1a99052ff8

SHA256
431e922e960f759df9a2f4d7abf3b2db11d152cee219d9ade2054de60e62a08c

SHA512
9f29657ae27bedb8bd60593ecf719822912c62a36e08109ac53cef8e1972e4224fc32f21801ddbf1b501c961f119711f00fdcb101b183707812c897baf405592

Download Submit
C:\Users\Admin\maanedag\Expediate\Babylonia\tropeklimas.txt

Filesize
660B

MD5
5c3325163caea32a52097ffb88abf465

SHA1
28ad774ed6489eeeac8d1d915d0658514b0b567f

SHA256
ce4421a30b3093c96c99e6c4986e7e29f79f2c0b112246a932e1660578e06ec4

SHA512
3b764f42aded3d59034413a75958d4b36d683b525dd7373071fd21d464ad126c6ea0eda11abe822211acfa5939eea5ddf45c3d70b623fb768e4347dfb3d4baae

Download Submit
C:\Users\Admin\maanedag\Expediate\Revetoing\Accusatrixes.Sol

Filesize
50KB

MD5
2a13e9dcb42ee98b6237bfbd9c082567

SHA1
9ae9118e57c198bb22c06698bd5bc318e3d37579

SHA256
f87df2ef6ddebd8a5845b928b90c1573476d3bcfd7d0e3304928ffaa2734a3f1

SHA512
7a490ec9c23747721dd5e32d4d7af0ac8822159d555a8023c6bf8801adf8e7400432c9608b6295132284b429ed108ed73718923a8e90407ecedb0cfd114f7a3a

Download Submit
C:\Users\Admin\maanedag\Expediate\Revetoing\Dynamiters.ini

Filesize
336B

MD5
0483e14b646fd46beb726c92f05dd31c

SHA1
e82caae31925dff01c4c4544bb0f5e223d8f7183

SHA256
d46577f5c7bf3b32aa74727a4aa4a628bed3cf050ec194919e7b6b1d89821c98

SHA512
24f80c82439f6ca11aef748a29f44ec7b572da5086348d76e5be275e76048c9ec00e95d436a25dd2f3003a9b76381da6e8bd6810f56af57d7d4aba272438c9e2

Download Submit
C:\Users\Admin\maanedag\Expediate\Revetoing\Skilsmissebegringens\belemnid.kao

Filesize
113KB

MD5
dfabcd9f1264111f79098fc6581950f1

SHA1
ccf87cb11a9db3d51a1080fcdf7bcc4f4e3974bb

SHA256
4371052e97c09098899fe9a0602f242e6d758de58d07be02da416f8f2282a7e4

SHA512
2246756345a4c30b937aab1348ad855a52246910cdc301c86f3112e19e6052920685a07e6c502b58c54d49d07299b64ebc007a97fbf6d9b04f45e96faf6d27a8

Download Submit
C:\Users\Admin\maanedag\Expediate\Revetoing\Skilsmissebegringens\bolles.txt

Filesize
521B

MD5
025c0ce7340eaf27653303e2cdeead0e

SHA1
8137619678a415c7ae07a4591297ac17b88a23d2

SHA256
31d9801005850c1515518597191258d3199505df363be0ace65e330bce002e00

SHA512
abca2b5f98d9d7abcb53a6f936428eaf5ba62909783235c322ab842a5b87c586c24a404ed5c1cdf32d3c212dfb10ada8dacad7dc35c0009fe4e3a495dea0a74c

Download Submit
C:\Users\Admin\maanedag\Expediate\Revetoing\Skilsmissebegringens\isthmal.ini

Filesize
268B

MD5
52b9380e27870b853a38793e12365613

SHA1
6d102c5386e79efb1109a6d0e6b950ba0898ae05

SHA256
8806e57f541101f67bcecb698293d12b12979260a1f3c7e2c1567ef06b646eb3

SHA512
25c583cd40f81c5fa9c61a9cb8a80274515528e52b81566c1354444ec2f36ceab44e619baec55fbdd669a8775d4578186c8e16b5e8056e1454e31869defceb7f

Download Submit
C:\Users\Admin\maanedag\Expediate\Revetoing\Skilsmissebegringens\mokkasiners.sce

Filesize
126KB

MD5
ba155781cc33a60c4337f59e9ec839a6

SHA1
bcad990b9541aca1f7a39b84b687d4627b8862cb

SHA256
fa1341181fa7dcca169f004dc85fe9e7c74901380dd518cc12b0fb4e529743fe

SHA512
0b9e0ebce9201ca1821332d2b4a4ef323195b686fa7a8eae7c4647c4ed722999aa09974661e06c8bfd9cc35f3efc7ec801271745de982142cfdc87dc0790fbf5

Download Submit
C:\Users\Admin\maanedag\Expediate\Revetoing\Spenderende.rrk

Filesize
382KB

MD5
911c13a266b9a91b7e7ac0982a71cb06

SHA1
2a3c99abd3fddb12f86384254acd698bee06e352

SHA256
ee34196be742d76ec15250aebc0a5ab68d6d1c6c336fb1565f23d010f926c60d

SHA512
1db2f5c9a9ad584dc26b3d86beb318e9c7b03293539678b0b1d00eaefda04a9d0ecbefabe493e2ae48c1ae99cd01dfe32afad613d65413037b9233b2b23cc55e

Download Submit
C:\Users\Admin\maanedag\Expediate\Revetoing\alarmens.jpg

Filesize
74B

MD5
1f48026df6e9e4aebc2867cb2a07a07d

SHA1
8098b69100ff43d1df93d7d42fead7a6aebe7638

SHA256
994252c8960cf2a4008c57bb64c39a18937638230293db1ca2cbc7bc63fc8ba5

SHA512
4edb34ee05c85efa311df528adc8954273fdfd6ad563aea480befee9e100e79f9492de3f26fd69ebd4bc510096866092dc24213835281d91bf8a9c536a725149

Download Submit
C:\Users\Admin\maanedag\Expediate\wagonmaker.Spl

Filesize
338KB

MD5
d8ba0a8cd8ece1061438654fc2710a75

SHA1
de772509ba346bf67e6ecc15c468cd46fc5803de

SHA256
447f3b1eefc4e7eb1f62037e60acb8eb6fbfdccbaf118fce820929e5a4b52f28

SHA512
b4af6571377453a5c9144a66a698463abda3e041a32f421b9a373c3cec933a75596198de694c0c2e19b8ebc1696d2f4d4180e4d8245a37e0003b8ad205fda28a

Download Submit
memory/1352-217-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1352-218-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1352-219-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1616-209-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1616-210-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1932-27-0x0000000077DC8000-0x0000000077DC9000-memory.dmp

Filesize
4KB

Download
memory/1932-38-0x00000000016E0000-0x0000000002E5B000-memory.dmp

Filesize
23.5MB

Download
memory/1932-55-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/1932-56-0x0000000077D41000-0x0000000077E61000-memory.dmp

Filesize
1.1MB

Download
memory/1932-44-0x00000000016E0000-0x0000000002E5B000-memory.dmp

Filesize
23.5MB

Download
memory/1932-39-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/1932-28-0x0000000077DE5000-0x0000000077DE6000-memory.dmp

Filesize
4KB

Download
memory/2688-208-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2688-152-0x00000000016E0000-0x0000000002E5B000-memory.dmp

Filesize
23.5MB

Download
memory/2688-167-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2688-206-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2688-164-0x00000000016E0000-0x0000000002E5B000-memory.dmp

Filesize
23.5MB

Download
memory/2688-160-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2688-224-0x0000000033390000-0x00000000333A9000-memory.dmp

Filesize
100KB

Download
memory/2688-228-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2688-225-0x0000000033390000-0x00000000333A9000-memory.dmp

Filesize
100KB

Download
memory/2688-221-0x0000000033390000-0x00000000333A9000-memory.dmp

Filesize
100KB

Download
memory/2688-227-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2736-226-0x00000000016E0000-0x0000000002E5B000-memory.dmp

Filesize
23.5MB

Download
memory/2800-26-0x00000000033B0000-0x0000000004B2B000-memory.dmp

Filesize
23.5MB

Download
memory/2800-24-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/2800-23-0x0000000077D41000-0x0000000077E61000-memory.dmp

Filesize
1.1MB

Download
memory/2800-22-0x00000000033B0000-0x0000000004B2B000-memory.dmp

Filesize
23.5MB

Download
memory/3144-216-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3144-215-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3144-214-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads