guloader | 2e18ad3e470b97415beb2cdb8e3ef7510bad21f0a5add020a7f9343dd959eeaa

Analysis

max time kernel
114s
max time network
112s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
16/04/2025, 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
Size

64KB
MD5

4aa5734fe9c86184f931f4ddaf2d4d7b
SHA1

a066ccad76f3c63d053cd68ac8692d4f4acf82ac
SHA256

2e18ad3e470b97415beb2cdb8e3ef7510bad21f0a5add020a7f9343dd959eeaa
SHA512

7355ffd3fc59af49af1d57f5327c7442a12c8e5ddc6ec9e176cc27fd4986cd6182f5f6ce91f892c07029efcac37f90d4dd077b6bb226b54c40621b94987a044c
SSDEEP

384:rdP9JIA7uJ1wK2xBpHbVbl+NGYD90pSCfZziEKffhaekBfdReVwoGHdRsArr2rOR:R9JIqNl/SSrrpBfiIdRsorZucnjtsq

Score

10^/10

guloader discovery downloader persistence

Malware Config

Extracted

Family

guloader

https://eficadgdl.com/well/Omitted-Credentials_encrypted_6A17930.bin

xor.base64

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Executes dropped EXE 16 IoCs

pid	Process
6124	erythroph.exe
5732	erythroph.exe
5032	erythroph.exe
5856	erythroph.exe
6068	erythroph.exe
4312	erythroph.exe
5080	erythroph.exe
1940	erythroph.exe
5068	erythroph.exe
276	erythroph.exe
1752	erythroph.exe
1640	erythroph.exe
5448	erythroph.exe
1484	erythroph.exe
2820	erythroph.exe
4676	erythroph.exe

Adds Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 34 IoCs

pid	Process
1212	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
4972	RegAsm.exe
6124	erythroph.exe
5580	RegAsm.exe
5732	erythroph.exe
2624	RegAsm.exe
5032	erythroph.exe
5024	RegAsm.exe
5856	erythroph.exe
4272	RegAsm.exe
6068	erythroph.exe
2368	RegAsm.exe
4312	erythroph.exe
4436	RegAsm.exe
5080	erythroph.exe
2080	RegAsm.exe
1940	erythroph.exe
1100	RegAsm.exe
5068	erythroph.exe
4520	RegAsm.exe
276	erythroph.exe
4708	RegAsm.exe
1752	erythroph.exe
6044	RegAsm.exe
1640	erythroph.exe
2640	RegAsm.exe
5448	erythroph.exe
2092	RegAsm.exe
1484	erythroph.exe
5208	RegAsm.exe
2820	erythroph.exe
4920	RegAsm.exe
4676	erythroph.exe
2756	RegAsm.exe

Suspicious use of SetThreadContext 17 IoCs

description	pid	Process	procid_target
PID 1212 set thread context of 4972	1212	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	80
PID 6124 set thread context of 5580	6124	erythroph.exe	85
PID 5732 set thread context of 2624	5732	erythroph.exe	90
PID 5032 set thread context of 5024	5032	erythroph.exe	95
PID 5856 set thread context of 4272	5856	erythroph.exe	100
PID 6068 set thread context of 2368	6068	erythroph.exe	105
PID 4312 set thread context of 4436	4312	erythroph.exe	110
PID 5080 set thread context of 2080	5080	erythroph.exe	116
PID 1940 set thread context of 1100	1940	erythroph.exe	123
PID 5068 set thread context of 4520	5068	erythroph.exe	128
PID 276 set thread context of 4708	276	erythroph.exe	133
PID 1752 set thread context of 6044	1752	erythroph.exe	139
PID 1640 set thread context of 2640	1640	erythroph.exe	144
PID 5448 set thread context of 2092	5448	erythroph.exe	149
PID 1484 set thread context of 5208	1484	erythroph.exe	155
PID 2820 set thread context of 4920	2820	erythroph.exe	161
PID 4676 set thread context of 2756	4676	erythroph.exe	166

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: MapViewOfSection 25 IoCs

pid	Process
1212	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
1212	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
1212	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
6124	erythroph.exe
5732	erythroph.exe
5032	erythroph.exe
5856	erythroph.exe
6068	erythroph.exe
4312	erythroph.exe
5080	erythroph.exe
5080	erythroph.exe
1940	erythroph.exe
1940	erythroph.exe
1940	erythroph.exe
5068	erythroph.exe
276	erythroph.exe
1752	erythroph.exe
1752	erythroph.exe
1640	erythroph.exe
5448	erythroph.exe
1484	erythroph.exe
1484	erythroph.exe
2820	erythroph.exe
2820	erythroph.exe
4676	erythroph.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
1212	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
6124	erythroph.exe
5732	erythroph.exe
5032	erythroph.exe
5856	erythroph.exe
6068	erythroph.exe
4312	erythroph.exe
5080	erythroph.exe
1940	erythroph.exe
5068	erythroph.exe
276	erythroph.exe
1752	erythroph.exe
1640	erythroph.exe
5448	erythroph.exe
1484	erythroph.exe
2820	erythroph.exe
4676	erythroph.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 3312	1212	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	78
PID 1212 wrote to memory of 3312	1212	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	78
PID 1212 wrote to memory of 3312	1212	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	78
PID 1212 wrote to memory of 1204	1212	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	79
PID 1212 wrote to memory of 1204	1212	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	79
PID 1212 wrote to memory of 1204	1212	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	79
PID 1212 wrote to memory of 4972	1212	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	80
PID 1212 wrote to memory of 4972	1212	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	80
PID 1212 wrote to memory of 4972	1212	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	80
PID 1212 wrote to memory of 4972	1212	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	80
PID 5924 wrote to memory of 6124	5924	cmd.exe	84
PID 5924 wrote to memory of 6124	5924	cmd.exe	84
PID 5924 wrote to memory of 6124	5924	cmd.exe	84
PID 6124 wrote to memory of 5580	6124	erythroph.exe	85
PID 6124 wrote to memory of 5580	6124	erythroph.exe	85
PID 6124 wrote to memory of 5580	6124	erythroph.exe	85
PID 6124 wrote to memory of 5580	6124	erythroph.exe	85
PID 5456 wrote to memory of 5732	5456	cmd.exe	89
PID 5456 wrote to memory of 5732	5456	cmd.exe	89
PID 5456 wrote to memory of 5732	5456	cmd.exe	89
PID 5732 wrote to memory of 2624	5732	erythroph.exe	90
PID 5732 wrote to memory of 2624	5732	erythroph.exe	90
PID 5732 wrote to memory of 2624	5732	erythroph.exe	90
PID 5732 wrote to memory of 2624	5732	erythroph.exe	90
PID 4900 wrote to memory of 5032	4900	cmd.exe	94
PID 4900 wrote to memory of 5032	4900	cmd.exe	94
PID 4900 wrote to memory of 5032	4900	cmd.exe	94
PID 5032 wrote to memory of 5024	5032	erythroph.exe	95
PID 5032 wrote to memory of 5024	5032	erythroph.exe	95
PID 5032 wrote to memory of 5024	5032	erythroph.exe	95
PID 5032 wrote to memory of 5024	5032	erythroph.exe	95
PID 5064 wrote to memory of 5856	5064	cmd.exe	99
PID 5064 wrote to memory of 5856	5064	cmd.exe	99
PID 5064 wrote to memory of 5856	5064	cmd.exe	99
PID 5856 wrote to memory of 4272	5856	erythroph.exe	100
PID 5856 wrote to memory of 4272	5856	erythroph.exe	100
PID 5856 wrote to memory of 4272	5856	erythroph.exe	100
PID 5856 wrote to memory of 4272	5856	erythroph.exe	100
PID 4364 wrote to memory of 6068	4364	cmd.exe	104
PID 4364 wrote to memory of 6068	4364	cmd.exe	104
PID 4364 wrote to memory of 6068	4364	cmd.exe	104
PID 6068 wrote to memory of 2368	6068	erythroph.exe	105
PID 6068 wrote to memory of 2368	6068	erythroph.exe	105
PID 6068 wrote to memory of 2368	6068	erythroph.exe	105
PID 6068 wrote to memory of 2368	6068	erythroph.exe	105
PID 2824 wrote to memory of 4312	2824	cmd.exe	109
PID 2824 wrote to memory of 4312	2824	cmd.exe	109
PID 2824 wrote to memory of 4312	2824	cmd.exe	109
PID 4312 wrote to memory of 4436	4312	erythroph.exe	110
PID 4312 wrote to memory of 4436	4312	erythroph.exe	110
PID 4312 wrote to memory of 4436	4312	erythroph.exe	110
PID 4312 wrote to memory of 4436	4312	erythroph.exe	110
PID 5180 wrote to memory of 5080	5180	cmd.exe	114
PID 5180 wrote to memory of 5080	5180	cmd.exe	114
PID 5180 wrote to memory of 5080	5180	cmd.exe	114
PID 5080 wrote to memory of 3380	5080	erythroph.exe	115
PID 5080 wrote to memory of 3380	5080	erythroph.exe	115
PID 5080 wrote to memory of 3380	5080	erythroph.exe	115
PID 5080 wrote to memory of 2080	5080	erythroph.exe	116
PID 5080 wrote to memory of 2080	5080	erythroph.exe	116
PID 5080 wrote to memory of 2080	5080	erythroph.exe	116
PID 5080 wrote to memory of 2080	5080	erythroph.exe	116
PID 2588 wrote to memory of 1940	2588	cmd.exe	120
PID 2588 wrote to memory of 1940	2588	cmd.exe	120

C:\Users\Admin\AppData\Local\Temp\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe"
  2⤵
  PID:3312
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe"
  2⤵
  PID:1204
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5924
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:6124
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5456
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5732
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5856
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:6068
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5180
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:3380
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:1940
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:1876
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:996
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:1228
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:5068
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:5668
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:276
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:4544
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:1752
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:3468
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:5392
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:1640
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:4768
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:5448
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:1704
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:1484
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:5528
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:1664
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:2820
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:2592
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:1424
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:4676
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2756

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\TROFFE\erythroph.exe

Filesize
64KB

MD5
4aa5734fe9c86184f931f4ddaf2d4d7b

SHA1
a066ccad76f3c63d053cd68ac8692d4f4acf82ac

SHA256
2e18ad3e470b97415beb2cdb8e3ef7510bad21f0a5add020a7f9343dd959eeaa

SHA512
7355ffd3fc59af49af1d57f5327c7442a12c8e5ddc6ec9e176cc27fd4986cd6182f5f6ce91f892c07029efcac37f90d4dd077b6bb226b54c40621b94987a044c

Download Submit
memory/1212-2-0x0000000002260000-0x0000000002268000-memory.dmp

Filesize
32KB

Download
memory/1212-3-0x00007FFE7D241000-0x00007FFE7D36A000-memory.dmp

Filesize
1.2MB

Download
memory/1212-4-0x00007FFE7D240000-0x00007FFE7D449000-memory.dmp

Filesize
2.0MB

Download
memory/1212-24-0x0000000002260000-0x0000000002268000-memory.dmp

Filesize
32KB

Download
memory/1212-63-0x0000000002260000-0x0000000002268000-memory.dmp

Filesize
32KB

Download
memory/4972-5-0x00007FFE7D240000-0x00007FFE7D449000-memory.dmp

Filesize
2.0MB

Download
memory/4972-7-0x00007FFE7D240000-0x00007FFE7D449000-memory.dmp

Filesize
2.0MB

Download
memory/4972-34-0x00007FFE7D240000-0x00007FFE7D449000-memory.dmp

Filesize
2.0MB

Download
memory/5580-14-0x00007FFE7D240000-0x00007FFE7D449000-memory.dmp

Filesize
2.0MB

Download
memory/5580-50-0x00007FFE7D240000-0x00007FFE7D449000-memory.dmp

Filesize
2.0MB

Download
memory/6124-13-0x00007FFE7D240000-0x00007FFE7D449000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads