Overview

overview

10

Static

static

10

virusshare...7b.exe

windows10-2004-x64

10

virusshare...7b.exe

windows11-21h2-x64

10

Resubmissions

16/04/2025, 16:46

250416-vaaahaxnt9 10

16/04/2025, 13:10

250416-qerccswjt5 10

16/04/2025, 12:57

250416-p6x4jsvrx2 10

16/04/2025, 12:51

250416-p3kn2svrv5 10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/04/2025, 16:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    virusshare/3/VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe

  • Size

    64KB

  • MD5

    4aa5734fe9c86184f931f4ddaf2d4d7b

  • SHA1

    a066ccad76f3c63d053cd68ac8692d4f4acf82ac

  • SHA256

    2e18ad3e470b97415beb2cdb8e3ef7510bad21f0a5add020a7f9343dd959eeaa

  • SHA512

    7355ffd3fc59af49af1d57f5327c7442a12c8e5ddc6ec9e176cc27fd4986cd6182f5f6ce91f892c07029efcac37f90d4dd077b6bb226b54c40621b94987a044c

  • SSDEEP

    384:rdP9JIA7uJ1wK2xBpHbVbl+NGYD90pSCfZziEKffhaekBfdReVwoGHdRsArr2rOR:R9JIqNl/SSrrpBfiIdRsorZucnjtsq

Score
10/10
guloaderdiscoverydownloaderpersistence

Malware Config

Extracted

Family

guloader

C2

https://eficadgdl.com/well/Omitted-Credentials_encrypted_6A17930.bin

xor.base64

Signatures

  • Guloader family
    guloader
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: MapViewOfSection 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\virusshare\3\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
    "C:\Users\Admin\AppData\Local\Temp\virusshare\3\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:212
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Users\Admin\AppData\Local\Temp\virusshare\3\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      PID:5356
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5404
    • C:\Users\Admin\TROFFE\erythroph.exe
      C:\Users\Admin\TROFFE\erythroph.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5972
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        C:\Users\Admin\TROFFE\erythroph.exe
        3⤵
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        PID:4852
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4844
    • C:\Users\Admin\TROFFE\erythroph.exe
      C:\Users\Admin\TROFFE\erythroph.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3344
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        C:\Users\Admin\TROFFE\erythroph.exe
        3⤵
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        PID:5088
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4272
    • C:\Users\Admin\TROFFE\erythroph.exe
      C:\Users\Admin\TROFFE\erythroph.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        C:\Users\Admin\TROFFE\erythroph.exe
        3⤵
          PID:3372
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          C:\Users\Admin\TROFFE\erythroph.exe
          3⤵
            PID:3924
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
            C:\Users\Admin\TROFFE\erythroph.exe
            3⤵
              PID:4056
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
              C:\Users\Admin\TROFFE\erythroph.exe
              3⤵
                PID:4036
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                C:\Users\Admin\TROFFE\erythroph.exe
                3⤵
                  PID:3840
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                  C:\Users\Admin\TROFFE\erythroph.exe
                  3⤵
                    PID:4456
                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                    C:\Users\Admin\TROFFE\erythroph.exe
                    3⤵
                      PID:1952
                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                      C:\Users\Admin\TROFFE\erythroph.exe
                      3⤵
                        PID:4884
                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                        C:\Users\Admin\TROFFE\erythroph.exe
                        3⤵
                          PID:4648
                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                          C:\Users\Admin\TROFFE\erythroph.exe
                          3⤵
                            PID:6004
                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                            C:\Users\Admin\TROFFE\erythroph.exe
                            3⤵
                              PID:1852
                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                              C:\Users\Admin\TROFFE\erythroph.exe
                              3⤵
                                PID:5532
                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                C:\Users\Admin\TROFFE\erythroph.exe
                                3⤵
                                  PID:924
                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                  C:\Users\Admin\TROFFE\erythroph.exe
                                  3⤵
                                    PID:856
                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                    C:\Users\Admin\TROFFE\erythroph.exe
                                    3⤵
                                      PID:880
                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                      C:\Users\Admin\TROFFE\erythroph.exe
                                      3⤵
                                        PID:396
                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                        C:\Users\Admin\TROFFE\erythroph.exe
                                        3⤵
                                          PID:5824
                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                          C:\Users\Admin\TROFFE\erythroph.exe
                                          3⤵
                                            PID:2076
                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                            C:\Users\Admin\TROFFE\erythroph.exe
                                            3⤵
                                              PID:1580
                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                                              C:\Users\Admin\TROFFE\erythroph.exe
                                              3⤵
                                                PID:2928
                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                                                C:\Users\Admin\TROFFE\erythroph.exe
                                                3⤵
                                                  PID:2492
                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                                                  C:\Users\Admin\TROFFE\erythroph.exe
                                                  3⤵
                                                    PID:2252
                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                                                    C:\Users\Admin\TROFFE\erythroph.exe
                                                    3⤵
                                                      PID:2304
                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                      C:\Users\Admin\TROFFE\erythroph.exe
                                                      3⤵
                                                        PID:1752
                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                        C:\Users\Admin\TROFFE\erythroph.exe
                                                        3⤵
                                                          PID:5896
                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                          C:\Users\Admin\TROFFE\erythroph.exe
                                                          3⤵
                                                            PID:2092
                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                            C:\Users\Admin\TROFFE\erythroph.exe
                                                            3⤵
                                                              PID:548
                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                              C:\Users\Admin\TROFFE\erythroph.exe
                                                              3⤵
                                                                PID:3224
                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                C:\Users\Admin\TROFFE\erythroph.exe
                                                                3⤵
                                                                  PID:3008
                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                  C:\Users\Admin\TROFFE\erythroph.exe
                                                                  3⤵
                                                                    PID:2264
                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                    C:\Users\Admin\TROFFE\erythroph.exe
                                                                    3⤵
                                                                      PID:3276
                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                      C:\Users\Admin\TROFFE\erythroph.exe
                                                                      3⤵
                                                                        PID:3416
                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                        C:\Users\Admin\TROFFE\erythroph.exe
                                                                        3⤵
                                                                          PID:1800
                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                          C:\Users\Admin\TROFFE\erythroph.exe
                                                                          3⤵
                                                                            PID:3400
                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                            C:\Users\Admin\TROFFE\erythroph.exe
                                                                            3⤵
                                                                              PID:3364
                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                              C:\Users\Admin\TROFFE\erythroph.exe
                                                                              3⤵
                                                                                PID:3936
                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                C:\Users\Admin\TROFFE\erythroph.exe
                                                                                3⤵
                                                                                  PID:892
                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                                                                                  C:\Users\Admin\TROFFE\erythroph.exe
                                                                                  3⤵
                                                                                    PID:2960
                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                                                                                    C:\Users\Admin\TROFFE\erythroph.exe
                                                                                    3⤵
                                                                                      PID:3880
                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                                                                                      C:\Users\Admin\TROFFE\erythroph.exe
                                                                                      3⤵
                                                                                        PID:2000
                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                                                                                        C:\Users\Admin\TROFFE\erythroph.exe
                                                                                        3⤵
                                                                                          PID:3600
                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                                                                                          C:\Users\Admin\TROFFE\erythroph.exe
                                                                                          3⤵
                                                                                            PID:5232
                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                                                                                            C:\Users\Admin\TROFFE\erythroph.exe
                                                                                            3⤵
                                                                                              PID:1720
                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                                                                                              C:\Users\Admin\TROFFE\erythroph.exe
                                                                                              3⤵
                                                                                                PID:4384
                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                                C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                3⤵
                                                                                                  PID:4392
                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                                  C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                  3⤵
                                                                                                    PID:1144
                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                                    C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                    3⤵
                                                                                                      PID:1192
                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                                      C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                      3⤵
                                                                                                        PID:1216
                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                                        C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                        3⤵
                                                                                                          PID:764
                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                                          C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                          3⤵
                                                                                                            PID:2064
                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                                            C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                            3⤵
                                                                                                              PID:3020
                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                                              C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                              3⤵
                                                                                                                PID:2612
                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                                                C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                3⤵
                                                                                                                  PID:816
                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                  C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                  3⤵
                                                                                                                    PID:3952
                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                    C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                    3⤵
                                                                                                                      PID:5208
                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                      C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                      3⤵
                                                                                                                        PID:5060
                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                        C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                        3⤵
                                                                                                                          PID:4252
                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                          C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                          3⤵
                                                                                                                            PID:5780
                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                            C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                            3⤵
                                                                                                                              PID:3320
                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                              C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                              3⤵
                                                                                                                                PID:2268
                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                                                                                                                                C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                3⤵
                                                                                                                                  PID:5336
                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                                                                                                                                  C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                  3⤵
                                                                                                                                    PID:1936
                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                                                                                                                                    C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                    3⤵
                                                                                                                                      PID:4084
                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                                                                                                                                      C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                      3⤵
                                                                                                                                        PID:3624
                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                                                                                                                                        C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                        3⤵
                                                                                                                                          PID:1856
                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                                                                                                                                          C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                          3⤵
                                                                                                                                            PID:5916
                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                                                                                                                                            C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                            3⤵
                                                                                                                                              PID:2984
                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                                                                                                                                              C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                              3⤵
                                                                                                                                                PID:4076
                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                                                                                                                                                C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                                3⤵
                                                                                                                                                  PID:4380
                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                                                                                  C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                                  3⤵
                                                                                                                                                    PID:5832
                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                                                                                    C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                                    3⤵
                                                                                                                                                      PID:2776
                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                                                                                      C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                                      3⤵
                                                                                                                                                        PID:4308
                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                                                                                        C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                                        3⤵
                                                                                                                                                          PID:1492
                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                                                                                          C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                                          3⤵
                                                                                                                                                            PID:4572
                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                                                                                            C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                                            3⤵
                                                                                                                                                              PID:4508
                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                              C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                                              3⤵
                                                                                                                                                                PID:5812
                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                                                3⤵
                                                                                                                                                                  PID:4184
                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                  C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                                                  3⤵
                                                                                                                                                                    PID:4344
                                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                    C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                                                    3⤵
                                                                                                                                                                      PID:460
                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                      C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                                                      3⤵
                                                                                                                                                                        PID:1168
                                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                        C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:3744
                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                          C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                                                          3⤵
                                                                                                                                                                            PID:4584
                                                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                                                                                            C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                                                            3⤵
                                                                                                                                                                              PID:1436
                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                                                                                                                                                                              C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                                                              3⤵
                                                                                                                                                                                PID:5464
                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                                                                                                                                                                                C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                                                                3⤵
                                                                                                                                                                                  PID:4356

                                                                                                                                                                            Network

                                                                                                                                                                            MITRE ATT&CK Enterprise v16

                                                                                                                                                                            Replay Monitor

                                                                                                                                                                            Loading Replay Monitor...

                                                                                                                                                                            Downloads

                                                                                                                                                                            • C:\Users\Admin\TROFFE\erythroph.exe
                                                                                                                                                                              Filesize

                                                                                                                                                                              64KB

                                                                                                                                                                              MD5

                                                                                                                                                                              4aa5734fe9c86184f931f4ddaf2d4d7b

                                                                                                                                                                              SHA1

                                                                                                                                                                              a066ccad76f3c63d053cd68ac8692d4f4acf82ac

                                                                                                                                                                              SHA256

                                                                                                                                                                              2e18ad3e470b97415beb2cdb8e3ef7510bad21f0a5add020a7f9343dd959eeaa

                                                                                                                                                                              SHA512

                                                                                                                                                                              7355ffd3fc59af49af1d57f5327c7442a12c8e5ddc6ec9e176cc27fd4986cd6182f5f6ce91f892c07029efcac37f90d4dd077b6bb226b54c40621b94987a044c

                                                                                                                                                                              Download Submit

                                                                                                                                                                            • memory/212-21-0x0000000002240000-0x0000000002248000-memory.dmp

                                                                                                                                                                              Filesize

                                                                                                                                                                              32KB

                                                                                                                                                                              Download

                                                                                                                                                                            • memory/212-3-0x00000000776D1000-0x00000000777F1000-memory.dmp

                                                                                                                                                                              Filesize

                                                                                                                                                                              1.1MB

                                                                                                                                                                              Download

                                                                                                                                                                            • memory/212-26-0x0000000002240000-0x0000000002248000-memory.dmp

                                                                                                                                                                              Filesize

                                                                                                                                                                              32KB

                                                                                                                                                                              Download

                                                                                                                                                                            • memory/212-2-0x0000000002240000-0x0000000002248000-memory.dmp

                                                                                                                                                                              Filesize

                                                                                                                                                                              32KB

                                                                                                                                                                              Download

                                                                                                                                                                            • memory/212-22-0x00000000776D1000-0x00000000777F1000-memory.dmp

                                                                                                                                                                              Filesize

                                                                                                                                                                              1.1MB

                                                                                                                                                                              Download

                                                                                                                                                                            • memory/4852-25-0x0000000000E00000-0x0000000000F00000-memory.dmp

                                                                                                                                                                              Filesize

                                                                                                                                                                              1024KB

                                                                                                                                                                              Download

                                                                                                                                                                            • memory/4852-14-0x0000000000E00000-0x0000000000F00000-memory.dmp

                                                                                                                                                                              Filesize

                                                                                                                                                                              1024KB

                                                                                                                                                                              Download

                                                                                                                                                                            • memory/5356-5-0x00000000776D1000-0x00000000777F1000-memory.dmp

                                                                                                                                                                              Filesize

                                                                                                                                                                              1.1MB

                                                                                                                                                                              Download

                                                                                                                                                                            • memory/5356-23-0x0000000000D00000-0x0000000000E00000-memory.dmp

                                                                                                                                                                              Filesize

                                                                                                                                                                              1024KB

                                                                                                                                                                              Download

                                                                                                                                                                            • memory/5356-4-0x0000000000D00000-0x0000000000E00000-memory.dmp

                                                                                                                                                                              Filesize

                                                                                                                                                                              1024KB

                                                                                                                                                                              Download

                                                                                                                                                                            • memory/5972-13-0x00000000776D1000-0x00000000777F1000-memory.dmp

                                                                                                                                                                              Filesize

                                                                                                                                                                              1.1MB

                                                                                                                                                                              Download

                                                                                                                                                                            • memory/5972-24-0x0000000000710000-0x0000000000718000-memory.dmp

                                                                                                                                                                              Filesize

                                                                                                                                                                              32KB

                                                                                                                                                                              Download

                                                                                                                                                                            • memory/5972-12-0x0000000000710000-0x0000000000718000-memory.dmp

                                                                                                                                                                              Filesize

                                                                                                                                                                              32KB

                                                                                                                                                                              Download

                                                                                                                                                                            • memory/5972-27-0x0000000000710000-0x0000000000718000-memory.dmp

                                                                                                                                                                              Filesize

                                                                                                                                                                              32KB

                                                                                                                                                                              Download