guloader | 2e18ad3e470b97415beb2cdb8e3ef7510bad21f0a5add020a7f9343dd959eeaa

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20250411-en
resource tags

arch:x64arch:x86image:win11-20250411-enlocale:en-usos:windows11-21h2-x64system
submitted
16/04/2025, 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
Size

64KB
MD5

4aa5734fe9c86184f931f4ddaf2d4d7b
SHA1

a066ccad76f3c63d053cd68ac8692d4f4acf82ac
SHA256

2e18ad3e470b97415beb2cdb8e3ef7510bad21f0a5add020a7f9343dd959eeaa
SHA512

7355ffd3fc59af49af1d57f5327c7442a12c8e5ddc6ec9e176cc27fd4986cd6182f5f6ce91f892c07029efcac37f90d4dd077b6bb226b54c40621b94987a044c
SSDEEP

384:rdP9JIA7uJ1wK2xBpHbVbl+NGYD90pSCfZziEKffhaekBfdReVwoGHdRsArr2rOR:R9JIqNl/SSrrpBfiIdRsorZucnjtsq

Score

10^/10

guloader discovery downloader persistence

Malware Config

Extracted

Family

guloader

https://eficadgdl.com/well/Omitted-Credentials_encrypted_6A17930.bin

xor.base64

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Executes dropped EXE 16 IoCs

pid	Process
2068	erythroph.exe
2092	erythroph.exe
3736	erythroph.exe
2472	erythroph.exe
416	erythroph.exe
2968	erythroph.exe
2216	erythroph.exe
3652	erythroph.exe
5160	erythroph.exe
4568	erythroph.exe
5036	erythroph.exe
5904	erythroph.exe
6032	erythroph.exe
1484	erythroph.exe
5344	erythroph.exe
2312	erythroph.exe

Adds Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 34 IoCs

pid	Process
244	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
4604	RegAsm.exe
2068	erythroph.exe
6004	RegAsm.exe
2092	erythroph.exe
5896	RegAsm.exe
3736	erythroph.exe
4456	RegAsm.exe
2472	erythroph.exe
4644	RegAsm.exe
416	erythroph.exe
2292	RegAsm.exe
2968	erythroph.exe
5252	RegAsm.exe
2216	erythroph.exe
5648	RegAsm.exe
3652	erythroph.exe
3600	RegAsm.exe
5160	erythroph.exe
3188	RegAsm.exe
4568	erythroph.exe
1020	RegAsm.exe
5036	erythroph.exe
5460	RegAsm.exe
5904	erythroph.exe
3544	RegAsm.exe
6032	erythroph.exe
5668	RegAsm.exe
1484	erythroph.exe
1624	RegAsm.exe
5344	erythroph.exe
5480	RegAsm.exe
2312	erythroph.exe
2624	RegAsm.exe

Suspicious use of SetThreadContext 17 IoCs

description	pid	Process	procid_target
PID 244 set thread context of 4604	244	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	79
PID 2068 set thread context of 6004	2068	erythroph.exe	86
PID 2092 set thread context of 5896	2092	erythroph.exe	91
PID 3736 set thread context of 4456	3736	erythroph.exe	96
PID 2472 set thread context of 4644	2472	erythroph.exe	101
PID 416 set thread context of 2292	416	erythroph.exe	110
PID 2968 set thread context of 5252	2968	erythroph.exe	115
PID 2216 set thread context of 5648	2216	erythroph.exe	120
PID 3652 set thread context of 3600	3652	erythroph.exe	125
PID 5160 set thread context of 3188	5160	erythroph.exe	132
PID 4568 set thread context of 1020	4568	erythroph.exe	137
PID 5036 set thread context of 5460	5036	erythroph.exe	142
PID 5904 set thread context of 3544	5904	erythroph.exe	148
PID 6032 set thread context of 5668	6032	erythroph.exe	154
PID 1484 set thread context of 1624	1484	erythroph.exe	159
PID 5344 set thread context of 5480	5344	erythroph.exe	164
PID 2312 set thread context of 2624	2312	erythroph.exe	171

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: MapViewOfSection 30 IoCs

pid	Process
244	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
244	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
2068	erythroph.exe
2068	erythroph.exe
2068	erythroph.exe
2092	erythroph.exe
3736	erythroph.exe
2472	erythroph.exe
416	erythroph.exe
416	erythroph.exe
416	erythroph.exe
416	erythroph.exe
416	erythroph.exe
2968	erythroph.exe
2216	erythroph.exe
3652	erythroph.exe
5160	erythroph.exe
5160	erythroph.exe
5160	erythroph.exe
4568	erythroph.exe
5036	erythroph.exe
5904	erythroph.exe
5904	erythroph.exe
6032	erythroph.exe
6032	erythroph.exe
1484	erythroph.exe
5344	erythroph.exe
2312	erythroph.exe
2312	erythroph.exe
2312	erythroph.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
244	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
2068	erythroph.exe
2092	erythroph.exe
3736	erythroph.exe
2472	erythroph.exe
416	erythroph.exe
2968	erythroph.exe
2216	erythroph.exe
3652	erythroph.exe
5160	erythroph.exe
4568	erythroph.exe
5036	erythroph.exe
5904	erythroph.exe
6032	erythroph.exe
1484	erythroph.exe
5344	erythroph.exe
2312	erythroph.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 244 wrote to memory of 4660	244	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	78
PID 244 wrote to memory of 4660	244	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	78
PID 244 wrote to memory of 4660	244	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	78
PID 244 wrote to memory of 4604	244	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	79
PID 244 wrote to memory of 4604	244	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	79
PID 244 wrote to memory of 4604	244	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	79
PID 244 wrote to memory of 4604	244	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	79
PID 4176 wrote to memory of 2068	4176	cmd.exe	83
PID 4176 wrote to memory of 2068	4176	cmd.exe	83
PID 4176 wrote to memory of 2068	4176	cmd.exe	83
PID 2068 wrote to memory of 6000	2068	erythroph.exe	84
PID 2068 wrote to memory of 6000	2068	erythroph.exe	84
PID 2068 wrote to memory of 6000	2068	erythroph.exe	84
PID 2068 wrote to memory of 3116	2068	erythroph.exe	85
PID 2068 wrote to memory of 3116	2068	erythroph.exe	85
PID 2068 wrote to memory of 3116	2068	erythroph.exe	85
PID 2068 wrote to memory of 6004	2068	erythroph.exe	86
PID 2068 wrote to memory of 6004	2068	erythroph.exe	86
PID 2068 wrote to memory of 6004	2068	erythroph.exe	86
PID 2068 wrote to memory of 6004	2068	erythroph.exe	86
PID 2232 wrote to memory of 2092	2232	cmd.exe	90
PID 2232 wrote to memory of 2092	2232	cmd.exe	90
PID 2232 wrote to memory of 2092	2232	cmd.exe	90
PID 2092 wrote to memory of 5896	2092	erythroph.exe	91
PID 2092 wrote to memory of 5896	2092	erythroph.exe	91
PID 2092 wrote to memory of 5896	2092	erythroph.exe	91
PID 2092 wrote to memory of 5896	2092	erythroph.exe	91
PID 4900 wrote to memory of 3736	4900	cmd.exe	95
PID 4900 wrote to memory of 3736	4900	cmd.exe	95
PID 4900 wrote to memory of 3736	4900	cmd.exe	95
PID 3736 wrote to memory of 4456	3736	erythroph.exe	96
PID 3736 wrote to memory of 4456	3736	erythroph.exe	96
PID 3736 wrote to memory of 4456	3736	erythroph.exe	96
PID 3736 wrote to memory of 4456	3736	erythroph.exe	96
PID 772 wrote to memory of 2472	772	cmd.exe	100
PID 772 wrote to memory of 2472	772	cmd.exe	100
PID 772 wrote to memory of 2472	772	cmd.exe	100
PID 2472 wrote to memory of 4644	2472	erythroph.exe	101
PID 2472 wrote to memory of 4644	2472	erythroph.exe	101
PID 2472 wrote to memory of 4644	2472	erythroph.exe	101
PID 2472 wrote to memory of 4644	2472	erythroph.exe	101
PID 5644 wrote to memory of 416	5644	cmd.exe	105
PID 5644 wrote to memory of 416	5644	cmd.exe	105
PID 5644 wrote to memory of 416	5644	cmd.exe	105
PID 416 wrote to memory of 2448	416	erythroph.exe	106
PID 416 wrote to memory of 2448	416	erythroph.exe	106
PID 416 wrote to memory of 2448	416	erythroph.exe	106
PID 416 wrote to memory of 2464	416	erythroph.exe	107
PID 416 wrote to memory of 2464	416	erythroph.exe	107
PID 416 wrote to memory of 2464	416	erythroph.exe	107
PID 416 wrote to memory of 2304	416	erythroph.exe	108
PID 416 wrote to memory of 2304	416	erythroph.exe	108
PID 416 wrote to memory of 2304	416	erythroph.exe	108
PID 416 wrote to memory of 720	416	erythroph.exe	109
PID 416 wrote to memory of 720	416	erythroph.exe	109
PID 416 wrote to memory of 720	416	erythroph.exe	109
PID 416 wrote to memory of 2292	416	erythroph.exe	110
PID 416 wrote to memory of 2292	416	erythroph.exe	110
PID 416 wrote to memory of 2292	416	erythroph.exe	110
PID 416 wrote to memory of 2292	416	erythroph.exe	110
PID 1096 wrote to memory of 2968	1096	cmd.exe	114
PID 1096 wrote to memory of 2968	1096	cmd.exe	114
PID 1096 wrote to memory of 2968	1096	cmd.exe	114
PID 2968 wrote to memory of 5252	2968	erythroph.exe	115

C:\Users\Admin\AppData\Local\Temp\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:244
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe"
  2⤵
  PID:4660
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:6000
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:3116
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:6004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:772
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5644
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:416
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:2448
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:2464
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:2304
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:720
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:3216
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:2216
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:1056
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:3652
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:1608
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:5160
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:4640
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:384
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:5820
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:4568
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:2696
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:5036
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:5180
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:5904
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:1576
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:2140
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:6032
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:5972
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:4144
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:1484
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:5468
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:5344
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:2756
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:2312
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:1556
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:5968
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2624

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\TROFFE\erythroph.exe

Filesize
64KB

MD5
4aa5734fe9c86184f931f4ddaf2d4d7b

SHA1
a066ccad76f3c63d053cd68ac8692d4f4acf82ac

SHA256
2e18ad3e470b97415beb2cdb8e3ef7510bad21f0a5add020a7f9343dd959eeaa

SHA512
7355ffd3fc59af49af1d57f5327c7442a12c8e5ddc6ec9e176cc27fd4986cd6182f5f6ce91f892c07029efcac37f90d4dd077b6bb226b54c40621b94987a044c

Download Submit
memory/244-24-0x00000000029B0000-0x00000000029B8000-memory.dmp

Filesize
32KB

Download
memory/244-3-0x00007FF83E2A1000-0x00007FF83E3CA000-memory.dmp

Filesize
1.2MB

Download
memory/244-4-0x00007FF83E2A0000-0x00007FF83E4A9000-memory.dmp

Filesize
2.0MB

Download
memory/244-2-0x00000000029B0000-0x00000000029B8000-memory.dmp

Filesize
32KB

Download
memory/244-64-0x00000000029B0000-0x00000000029B8000-memory.dmp

Filesize
32KB

Download
memory/2068-13-0x00007FF83E2A0000-0x00007FF83E4A9000-memory.dmp

Filesize
2.0MB

Download
memory/4604-5-0x00007FF83E2A0000-0x00007FF83E4A9000-memory.dmp

Filesize
2.0MB

Download
memory/4604-34-0x00007FF83E2A0000-0x00007FF83E4A9000-memory.dmp

Filesize
2.0MB

Download
memory/4604-7-0x00007FF83E2A0000-0x00007FF83E4A9000-memory.dmp

Filesize
2.0MB

Download
memory/5648-63-0x0000000075000000-0x000000007528A000-memory.dmp

Filesize
2.5MB

Download
memory/6004-14-0x00007FF83E2A0000-0x00007FF83E4A9000-memory.dmp

Filesize
2.0MB

Download
memory/6004-51-0x00007FF83E2A0000-0x00007FF83E4A9000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads