guloader | dbfc48866b03f8d8141fbdd9f1d67581a9fea0be3198148327c773961da30667

Analysis

max time kernel
19s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2025, 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025 Staff Satisfaction Survey.exe
Size

693KB
MD5

9e44332968633c219a3207a63bd73d98
SHA1

c42747558e13f300e05a26e2c545257b29172701
SHA256

79adf75aed9c95e003d6726b4df5a6f98233e1e2712e39dcbfb02dd479cf4742
SHA512

42243f0f37db43e16d13c63fd50882a43a1203f36cf71333b082271544950ad839241e00d5dfca219207d35120bcb6bc1a36fb1dd70df8a98ab5789a0a742065
SSDEEP

12288:BY/aiHIbJPf/kGO7mRbOHnzq05vjYN54edUNxScVDGEOx31BNaMf8nQxehZZY8:BY/aDbJPnkGO6b2zqLe/TOXBNaMknYe3

Score

10^/10

guloader remcos remotehost discovery downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

196.251.92.62:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-Q6KAMU
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 4 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2696-176-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft
behavioral1/memory/5920-182-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1596-185-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2696-175-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/5920-182-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2696-176-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView
behavioral1/memory/2696-175-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation	2025 Staff Satisfaction Survey.exe

Executes dropped EXE 3 IoCs

pid	Process
4988	remcos.exe
5936	remcos.exe
4984	remcos.exe

Loads dropped DLL 4 IoCs

pid	Process
1156	2025 Staff Satisfaction Survey.exe
1156	2025 Staff Satisfaction Survey.exe
4988	remcos.exe
4988	remcos.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-Q6KAMU = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	2025 Staff Satisfaction Survey.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-Q6KAMU = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	2025 Staff Satisfaction Survey.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
43	drive.google.com
57	drive.google.com
19	drive.google.com
20	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Objectee.ini	remcos.exe
File opened for modification	C:\Windows\SysWOW64\Objectee.ini	remcos.exe
File opened for modification	C:\Windows\SysWOW64\Objectee.ini	remcos.exe
File opened for modification	C:\Windows\SysWOW64\Objectee.ini	2025 Staff Satisfaction Survey.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1680	2025 Staff Satisfaction Survey.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1156	2025 Staff Satisfaction Survey.exe
1680	2025 Staff Satisfaction Survey.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\otto\asynchronisms.bin	2025 Staff Satisfaction Survey.exe
File opened for modification	C:\Windows\resources\0409\otto\asynchronisms.bin	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025 Staff Satisfaction Survey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025 Staff Satisfaction Survey.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1156	2025 Staff Satisfaction Survey.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 1680	1156	2025 Staff Satisfaction Survey.exe	89
PID 1156 wrote to memory of 1680	1156	2025 Staff Satisfaction Survey.exe	89
PID 1156 wrote to memory of 1680	1156	2025 Staff Satisfaction Survey.exe	89
PID 1156 wrote to memory of 1680	1156	2025 Staff Satisfaction Survey.exe	89
PID 1680 wrote to memory of 4988	1680	2025 Staff Satisfaction Survey.exe	94
PID 1680 wrote to memory of 4988	1680	2025 Staff Satisfaction Survey.exe	94
PID 1680 wrote to memory of 4988	1680	2025 Staff Satisfaction Survey.exe	94
PID 5408 wrote to memory of 5936	5408	cmd.exe	95
PID 5408 wrote to memory of 5936	5408	cmd.exe	95
PID 5408 wrote to memory of 5936	5408	cmd.exe	95
PID 5556 wrote to memory of 4984	5556	cmd.exe	96
PID 5556 wrote to memory of 4984	5556	cmd.exe	96
PID 5556 wrote to memory of 4984	5556	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\2025 Staff Satisfaction Survey.exe
"C:\Users\Admin\AppData\Local\Temp\2025 Staff Satisfaction Survey.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Users\Admin\AppData\Local\Temp\2025 Staff Satisfaction Survey.exe
  "C:\Users\Admin\AppData\Local\Temp\2025 Staff Satisfaction Survey.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4988
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      PID:4912
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\bsoz"
        5⤵
        
        PID:4516
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\bsoz"
        5⤵
        
        PID:2696
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\dmbrvuk"
        5⤵
        
        PID:5900
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\dmbrvuk"
        5⤵
        
        PID:5920
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\oogcwfvmbvu"
        5⤵
        
        PID:3876
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\oogcwfvmbvu"
        5⤵
        
        PID:5844
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\oogcwfvmbvu"
        5⤵
        
        PID:336
    - - C:\Windows\SysWOW64\recover.exe
        
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\oogcwfvmbvu"
        5⤵
        
        PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5408
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5556
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
PID:4496
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  PID:5312
- - C:\ProgramData\Remcos\remcos.exe
    C:\ProgramData\Remcos\remcos.exe
    3⤵
    PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"
1⤵
PID:5024
- C:\ProgramData\Remcos\remcos.exe
  C:\ProgramData\Remcos\remcos.exe
  2⤵
  PID:228

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe

Filesize
693KB

MD5
9e44332968633c219a3207a63bd73d98

SHA1
c42747558e13f300e05a26e2c545257b29172701

SHA256
79adf75aed9c95e003d6726b4df5a6f98233e1e2712e39dcbfb02dd479cf4742

SHA512
42243f0f37db43e16d13c63fd50882a43a1203f36cf71333b082271544950ad839241e00d5dfca219207d35120bcb6bc1a36fb1dd70df8a98ab5789a0a742065

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
517b42c897481d3ef87c7d3590dc4556

SHA1
52db14d62d6e762bf4ee6458d4e562abffe66dd1

SHA256
8b03de3b33087141fa82c1e1cd7e6c704a47d755316c62cbaa63b5eb84192af5

SHA512
86c0d25d1825b6dbf3b415ec3e5ce87a55177bf9c9e6ff176dd98b8a44fe9082ae457d2b8c01c4f24c0e1e530c99307bce3c5600f1d1c9964e24551d99175b11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_D1B2C3FDC4CC18AB2F25B2BB5E2D4A02

Filesize
471B

MD5
1d4632adbc075ecbc910f1dc1ea7aab7

SHA1
aefef0d5a36d2ccbb0269d89acd7607c185563b9

SHA256
da21852c5ec264fdf502462af387cc11b877e6df1a9cf6aa11634f084bde188f

SHA512
e024a6cc7f80cf0b70479bb3d98593f7b2ee07ecf37eaa892a828f889614cdce3a6a3cb203a02d7150b593f2f48e9bf1e80635b07f2fe6d2a7f5685f6b9fe34b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
74bc15692d0e953a73003e4f1002bd9f

SHA1
c8fd7c5e5f7bbe86cb85b67514ff7948e0fd204b

SHA256
b4b2e3d6c182913dd638291456216a6dce0c9c685a1b9a754c74ebad74694470

SHA512
98bbba34cc04c9e8fc9113c165297d2da1fe5da8e5720cbcc08365c05eceeab5b79261bdd42dc8d5a1181bce9cda4e064afe4137bdad8d70e5d0b83125df4230

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_D1B2C3FDC4CC18AB2F25B2BB5E2D4A02

Filesize
402B

MD5
1dffcf5fbe0b9669991570e8b65f088e

SHA1
dc5e27c0162efeb9eedf194c993b8d42033be2bf

SHA256
c0422b4e1039ffd6c3dc5bcaf77f93b7389950e1cef92abcaddc7eb08c56004c

SHA512
90b013356be5f40543bc1e2267e400ba13435e2c3cd35c1482b30fa32ed9c543d80237f8ab039544ad3f42a17414bad07a3d8e369bc03d3d89fccd3b490ce2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg6FA4.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\hjemmefronter\Synthetase54\Xylophagan\Guldmedaljen\Lamper.jpg

Filesize
97KB

MD5
76aa50f1e0bcb4ed44e0da686fb1115a

SHA1
c2083f4218ab03cb5dd7e1fa12cc5b026a2b63fb

SHA256
d7e7113a11841604012fdcb8037ca28de5161a3b9ccffcb8440fba1847e128d8

SHA512
9e295d7881d9e7341f1082221bb5f5ebeee0fa9cb02c6c5ae58194037be23611e5e3a910101afa7509467445a430f459fb3c54016e2874df45781882a0498be4

Download Submit
C:\Users\Admin\hjemmefronter\Synthetase54\Xylophagan\Guldmedaljen\Overnervous.Sla

Filesize
320KB

MD5
221a6562628517a6933d29b29e76b8cc

SHA1
e523c5f795ab732cc82356c521929ec982580565

SHA256
9455ca6ac9eae76168cda03bab599e3ed94ff2bbca2e5336bb3f13af6ec127ec

SHA512
3390a080bb27a59eb6a151e7b143968d0fa5eb894762479c5211005b990cedb7dccc6e45b6db93c47a61f2187a04cb6e64d62a64b062a31d4cb6db47a89c66e7

Download Submit
C:\Users\Admin\hjemmefronter\Synthetase54\Xylophagan\Guldmedaljen\Overnervous.Sla

Filesize
192KB

MD5
5b621bd7409d2b960ad83e04f88a083d

SHA1
4e9484686cc30f84a5020fe9d19ad77bf55683f1

SHA256
1e2c3c3ac0dcb793e111c0aeb601efe72e4c7bb6898a311ccf35304463aea605

SHA512
b42292679617d354c0a3bccdff19360016ee3b6fde7830fda235ddd3ee90097eb391f31df24699858d78cdee5162e339bd9d0d303921c7555d29f77be814a703

Download Submit
C:\Users\Admin\hjemmefronter\Synthetase54\Xylophagan\Guldmedaljen\Overnervous.Sla

Filesize
354KB

MD5
d5c2c281efe1b28b63ce51cb7fba3c9f

SHA1
8c34349bf2e2ac50af8730c57d99ea1d6d658448

SHA256
b68e75b27429029af6e5086dec8696e2dc1bdd00b560cb3597755689500165f9

SHA512
558b394efcc4a571ff5a1826fa6fa79bb374499e61599f198b6bb14b30b82e3e1dea1fa15d6e184197618c19a40aa84e41413ec37e142232ca0f0eb43666152f

Download Submit
C:\Users\Admin\hjemmefronter\Synthetase54\Xylophagan\Guldmedaljen\Refascinate.Nvn

Filesize
61KB

MD5
e2d49fc32bd0b0712384cedfe5349f76

SHA1
defff8f40b1abd20d52ded1b4cbc3f68c6bfb338

SHA256
c087461107716a1f813fa2173f2b5a5adf87476bb292208f59756aa1129cb639

SHA512
a36abb0b610cd866a0ff7b703846548e1bef8414f0804edc103b6aba5e086451550b14233bc8ad9fb9ee807c4cd02585ac9f4168673fd2739ee35f285628f293

Download Submit
C:\Users\Admin\hjemmefronter\Synthetase54\Xylophagan\Guldmedaljen\blev.sic

Filesize
321KB

MD5
2bd23a1fe1db40048da512bea4500417

SHA1
983f7443e7c4c8a37cc92b06b9aefee6e6bf57b9

SHA256
f90b84e5e4fad7afcec2a9f9d29fbacde444ff121f6b1801c2dce6748fb05068

SHA512
e0ce68c81576f52643b59ac448b949617810a62f9b093073304a443d879ab671b006a58c0e50b29197bf053c4d8c01670a3b9efe0d564dd9dd85e160bd281509

Download Submit
C:\Users\Admin\hjemmefronter\Synthetase54\Xylophagan\Guldmedaljen\colleens.txt

Filesize
370B

MD5
313a9633a58de00315d4b8a88456dbd4

SHA1
ac8642ba8fc5ad947be76992b388ba90c1f4f29d

SHA256
cab61979083d60310c85253bc87b5047a40869b56f1d78885f45556a809f47e8

SHA512
c274194f91eff6525d039f602bce9294ebfd805ee1382946a3f89fdf6e6c7e315ff50462c54c51a80da97de66c75e2b450d626b28ac31f391c85f9a6de1f87d1

Download Submit
C:\Users\Admin\hjemmefronter\Synthetase54\Xylophagan\Guldmedaljen\fagkyndige.ini

Filesize
39B

MD5
cfc5144c3a75d5f817151ecf6e59b0f3

SHA1
324399c734ad798dd6f1eead4534f6f9e6bbdd21

SHA256
e8ec675329b6f0e7223548d4dae4fe8787e077ea654913ab4509d927ad5e0bba

SHA512
1e91beba4352d45e4a784956c4b2c7cd19f3cc38bece8aa1f0729e4a4b6f334d8b55ff1083bf42c942b7c755740adae4e316654828c4c004bc838671505b2adb

Download Submit
C:\Users\Admin\hjemmefronter\Synthetase54\Xylophagan\Guldmedaljen\myocardium.set

Filesize
394KB

MD5
e394eba898e6c64de87228a8e2f86480

SHA1
56d3342568f90282edcb24da3d79559316d1f181

SHA256
f2eaac6d269bf7ba5e033a525359ea1865dcb4008f8d320fa1883e90705b74f2

SHA512
bd99eaf068ac0309ddf6ebfe7862dcd33b5fbb4cb350a7f18791d984600e70978e00348a32e0e8157e8a145eb50c18dd9617684ae3f009932eacdc67ba115413

Download Submit
C:\Users\Admin\hjemmefronter\Synthetase54\Xylophagan\Guldmedaljen\noncontestable.sys

Filesize
356KB

MD5
1c0e5e3fad38ad4c071145b0c91b1c75

SHA1
d4332d34c719454b251de7fea2f7ebf74e9ce59f

SHA256
c9d19087bf0a5cce7b23a791be76d2ed701b7dce69f86baefaa99e7a19fb1567

SHA512
9b71e0ac39de87e365d87df4052922d545f90e9b899b962459b9f9e5598a19a36ce247e03cc916d76feef53c5a54a6ae7bb8694e08cfa28822a522f2782a6689

Download Submit
C:\Users\Admin\hjemmefronter\Synthetase54\Xylophagan\Guldmedaljen\noncontestable.sys

Filesize
256KB

MD5
d343f18b57b90af03c1e63bb9c92b4ef

SHA1
646c310be63528253367566dd9248ed0bd98bb38

SHA256
9f7b390afa25af9e31e2970aa7a079ef312dc3d8ea646edc9bd5220f842c6dfa

SHA512
90fbed1d634116c963988656dd4d4d22605399c137d9c73c8711ff838fdb73a6ef6f1525194a21273602effe6b344ec5e12bb4b59fb5bbb19b8c1a7b1996aa91

Download Submit
C:\Users\Admin\hjemmefronter\Synthetase54\Xylophagan\Guldmedaljen\noncontestable.sys

Filesize
320KB

MD5
d1a0af180c3cc3977ed45c87f9a8da6c

SHA1
43a985724d8ca97c5cb3cac80305ca699be828fe

SHA256
24fca5e04954e2c230a8df2a3363c43e79115c29718d70f8605b5e2f0f61b869

SHA512
4b572e6ced0189f8d6f44a20f397ec74c7e950b55fd0ac875dee0e2d05f0248514f873cde52c248b4892d76785a2a0a62cadf93c47a6bd08c34b1b9fa0174047

Download Submit
C:\Users\Admin\hjemmefronter\Synthetase54\Xylophagan\Lovats\opkast.jpg

Filesize
8KB

MD5
a798defe4bd96ce304a2b64ba9db9451

SHA1
ebe61d1bb9f882db6779e125239c94e24fa31ac8

SHA256
4c4e725a9de497a0171cb912ae1039cf782bdda0791bc15e6960c643f36282b7

SHA512
6e5b183e0fd717c7f56318f6cb8b2e273c5541d1c0205cb9af317d66a062613c9d5e08d601ed8164c6bb785349482f2406db34254bc886898a165b3608aebd69

Download Submit
C:\Users\Admin\hjemmefronter\Synthetase54\Xylophagan\Lovats\wineshop.ini

Filesize
616B

MD5
059cb6042549f01a636176876a196d29

SHA1
434624b61da12f82cd9dd001cf89071e289d6692

SHA256
c937269a7ddc6b76b73dd9cbd9e64b318665f2c622b00a7ab6e8d0cc31583c2c

SHA512
6fdd35b9bd2494f7a4831779cf5e55aa7620cc41c08915aca25279dc071f2016e6960c9c50a4d709a64a7b2d01234b11144e82159ad8a671535cade0c66ee208

Download Submit
memory/1156-18-0x0000000077171000-0x0000000077291000-memory.dmp

Filesize
1.1MB

Download
memory/1156-17-0x0000000003280000-0x0000000004C4A000-memory.dmp

Filesize
25.8MB

Download
memory/1156-19-0x0000000073E65000-0x0000000073E66000-memory.dmp

Filesize
4KB

Download
memory/1156-21-0x0000000003280000-0x0000000004C4A000-memory.dmp

Filesize
25.8MB

Download
memory/1596-185-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1596-183-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1596-184-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1680-31-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/1680-46-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/1680-35-0x00000000016C0000-0x000000000308A000-memory.dmp

Filesize
25.8MB

Download
memory/1680-22-0x00000000771F8000-0x00000000771F9000-memory.dmp

Filesize
4KB

Download
memory/1680-30-0x00000000016C0000-0x000000000308A000-memory.dmp

Filesize
25.8MB

Download
memory/1680-23-0x0000000077215000-0x0000000077216000-memory.dmp

Filesize
4KB

Download
memory/1680-47-0x0000000077171000-0x0000000077291000-memory.dmp

Filesize
1.1MB

Download
memory/2696-175-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2696-176-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4492-193-0x00000000016C0000-0x000000000308A000-memory.dmp

Filesize
25.8MB

Download
memory/4492-202-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4492-201-0x00000000016C0000-0x000000000308A000-memory.dmp

Filesize
25.8MB

Download
memory/4912-118-0x00000000016C0000-0x000000000308A000-memory.dmp

Filesize
25.8MB

Download
memory/4912-194-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4912-209-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4912-124-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4912-188-0x0000000033E90000-0x0000000033EA9000-memory.dmp

Filesize
100KB

Download
memory/4912-191-0x0000000033E90000-0x0000000033EA9000-memory.dmp

Filesize
100KB

Download
memory/4912-190-0x0000000033E90000-0x0000000033EA9000-memory.dmp

Filesize
100KB

Download
memory/4912-192-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4912-208-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4912-125-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4912-196-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4912-129-0x00000000016C0000-0x000000000308A000-memory.dmp

Filesize
25.8MB

Download
memory/4912-207-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4912-203-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4912-204-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4912-205-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4912-206-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/5920-178-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5920-182-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5920-177-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads