guloader | 487f4dd9bdbe94a9cf1a04a8fdec19f16f86864d05d06f0511544b3ff68c850c

Analysis

max time kernel
97s
max time network
97s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
16/04/2025, 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virusshare/3/VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
Size

64KB
MD5

4aa5734fe9c86184f931f4ddaf2d4d7b
SHA1

a066ccad76f3c63d053cd68ac8692d4f4acf82ac
SHA256

2e18ad3e470b97415beb2cdb8e3ef7510bad21f0a5add020a7f9343dd959eeaa
SHA512

7355ffd3fc59af49af1d57f5327c7442a12c8e5ddc6ec9e176cc27fd4986cd6182f5f6ce91f892c07029efcac37f90d4dd077b6bb226b54c40621b94987a044c
SSDEEP

384:rdP9JIA7uJ1wK2xBpHbVbl+NGYD90pSCfZziEKffhaekBfdReVwoGHdRsArr2rOR:R9JIqNl/SSrrpBfiIdRsorZucnjtsq

Score

10^/10

guloader discovery downloader persistence

Malware Config

Extracted

Family

guloader

https://eficadgdl.com/well/Omitted-Credentials_encrypted_6A17930.bin

xor.base64

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Executes dropped EXE 16 IoCs

pid	Process
5104	erythroph.exe
6120	erythroph.exe
6140	erythroph.exe
4500	erythroph.exe
2980	erythroph.exe
5844	erythroph.exe
1548	erythroph.exe
5592	erythroph.exe
1248	erythroph.exe
2204	erythroph.exe
5640	erythroph.exe
5240	erythroph.exe
1312	erythroph.exe
280	erythroph.exe
2196	erythroph.exe
4692	erythroph.exe

Adds Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 34 IoCs

pid	Process
2816	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
5016	RegAsm.exe
5104	erythroph.exe
4568	RegAsm.exe
6120	erythroph.exe
2316	RegAsm.exe
6140	erythroph.exe
2112	RegAsm.exe
4500	erythroph.exe
8	RegAsm.exe
2980	erythroph.exe
1748	RegAsm.exe
5844	erythroph.exe
5896	RegAsm.exe
1548	erythroph.exe
3160	RegAsm.exe
5592	erythroph.exe
2120	RegAsm.exe
1248	erythroph.exe
988	RegAsm.exe
2204	erythroph.exe
2476	RegAsm.exe
5640	erythroph.exe
3444	RegAsm.exe
5240	erythroph.exe
5948	RegAsm.exe
1312	erythroph.exe
3224	RegAsm.exe
280	erythroph.exe
5988	RegAsm.exe
2196	erythroph.exe
5004	RegAsm.exe
4692	erythroph.exe
4216	RegAsm.exe

Suspicious use of SetThreadContext 17 IoCs

description	pid	Process	procid_target
PID 2816 set thread context of 5016	2816	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	85
PID 5104 set thread context of 4568	5104	erythroph.exe	91
PID 6120 set thread context of 2316	6120	erythroph.exe	98
PID 6140 set thread context of 2112	6140	erythroph.exe	103
PID 4500 set thread context of 8	4500	erythroph.exe	109
PID 2980 set thread context of 1748	2980	erythroph.exe	115
PID 5844 set thread context of 5896	5844	erythroph.exe	122
PID 1548 set thread context of 3160	1548	erythroph.exe	129
PID 5592 set thread context of 2120	5592	erythroph.exe	136
PID 1248 set thread context of 988	1248	erythroph.exe	141
PID 2204 set thread context of 2476	2204	erythroph.exe	147
PID 5640 set thread context of 3444	5640	erythroph.exe	152
PID 5240 set thread context of 5948	5240	erythroph.exe	158
PID 1312 set thread context of 3224	1312	erythroph.exe	163
PID 280 set thread context of 5988	280	erythroph.exe	168
PID 2196 set thread context of 5004	2196	erythroph.exe	173
PID 4692 set thread context of 4216	4692	erythroph.exe	178

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: MapViewOfSection 30 IoCs

pid	Process
2816	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
2816	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
5104	erythroph.exe
6120	erythroph.exe
6120	erythroph.exe
6120	erythroph.exe
6140	erythroph.exe
4500	erythroph.exe
4500	erythroph.exe
2980	erythroph.exe
2980	erythroph.exe
5844	erythroph.exe
5844	erythroph.exe
5844	erythroph.exe
1548	erythroph.exe
1548	erythroph.exe
1548	erythroph.exe
5592	erythroph.exe
5592	erythroph.exe
5592	erythroph.exe
1248	erythroph.exe
2204	erythroph.exe
2204	erythroph.exe
5640	erythroph.exe
5240	erythroph.exe
5240	erythroph.exe
1312	erythroph.exe
280	erythroph.exe
2196	erythroph.exe
4692	erythroph.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
2816	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
5104	erythroph.exe
6120	erythroph.exe
6140	erythroph.exe
4500	erythroph.exe
2980	erythroph.exe
5844	erythroph.exe
1548	erythroph.exe
5592	erythroph.exe
1248	erythroph.exe
2204	erythroph.exe
5640	erythroph.exe
5240	erythroph.exe
1312	erythroph.exe
280	erythroph.exe
2196	erythroph.exe
4692	erythroph.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 1176	2816	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	84
PID 2816 wrote to memory of 1176	2816	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	84
PID 2816 wrote to memory of 1176	2816	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	84
PID 2816 wrote to memory of 5016	2816	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	85
PID 2816 wrote to memory of 5016	2816	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	85
PID 2816 wrote to memory of 5016	2816	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	85
PID 2816 wrote to memory of 5016	2816	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	85
PID 4904 wrote to memory of 5104	4904	cmd.exe	89
PID 4904 wrote to memory of 5104	4904	cmd.exe	89
PID 4904 wrote to memory of 5104	4904	cmd.exe	89
PID 5104 wrote to memory of 4568	5104	erythroph.exe	91
PID 5104 wrote to memory of 4568	5104	erythroph.exe	91
PID 5104 wrote to memory of 4568	5104	erythroph.exe	91
PID 5104 wrote to memory of 4568	5104	erythroph.exe	91
PID 2304 wrote to memory of 6120	2304	cmd.exe	95
PID 2304 wrote to memory of 6120	2304	cmd.exe	95
PID 2304 wrote to memory of 6120	2304	cmd.exe	95
PID 6120 wrote to memory of 5136	6120	erythroph.exe	96
PID 6120 wrote to memory of 5136	6120	erythroph.exe	96
PID 6120 wrote to memory of 5136	6120	erythroph.exe	96
PID 6120 wrote to memory of 5580	6120	erythroph.exe	97
PID 6120 wrote to memory of 5580	6120	erythroph.exe	97
PID 6120 wrote to memory of 5580	6120	erythroph.exe	97
PID 6120 wrote to memory of 2316	6120	erythroph.exe	98
PID 6120 wrote to memory of 2316	6120	erythroph.exe	98
PID 6120 wrote to memory of 2316	6120	erythroph.exe	98
PID 6120 wrote to memory of 2316	6120	erythroph.exe	98
PID 3216 wrote to memory of 6140	3216	cmd.exe	102
PID 3216 wrote to memory of 6140	3216	cmd.exe	102
PID 3216 wrote to memory of 6140	3216	cmd.exe	102
PID 6140 wrote to memory of 2112	6140	erythroph.exe	103
PID 6140 wrote to memory of 2112	6140	erythroph.exe	103
PID 6140 wrote to memory of 2112	6140	erythroph.exe	103
PID 6140 wrote to memory of 2112	6140	erythroph.exe	103
PID 5364 wrote to memory of 4500	5364	cmd.exe	107
PID 5364 wrote to memory of 4500	5364	cmd.exe	107
PID 5364 wrote to memory of 4500	5364	cmd.exe	107
PID 4500 wrote to memory of 3512	4500	erythroph.exe	108
PID 4500 wrote to memory of 3512	4500	erythroph.exe	108
PID 4500 wrote to memory of 3512	4500	erythroph.exe	108
PID 4500 wrote to memory of 8	4500	erythroph.exe	109
PID 4500 wrote to memory of 8	4500	erythroph.exe	109
PID 4500 wrote to memory of 8	4500	erythroph.exe	109
PID 4500 wrote to memory of 8	4500	erythroph.exe	109
PID 4244 wrote to memory of 2980	4244	cmd.exe	113
PID 4244 wrote to memory of 2980	4244	cmd.exe	113
PID 4244 wrote to memory of 2980	4244	cmd.exe	113
PID 2980 wrote to memory of 1584	2980	erythroph.exe	114
PID 2980 wrote to memory of 1584	2980	erythroph.exe	114
PID 2980 wrote to memory of 1584	2980	erythroph.exe	114
PID 2980 wrote to memory of 1748	2980	erythroph.exe	115
PID 2980 wrote to memory of 1748	2980	erythroph.exe	115
PID 2980 wrote to memory of 1748	2980	erythroph.exe	115
PID 2980 wrote to memory of 1748	2980	erythroph.exe	115
PID 4592 wrote to memory of 5844	4592	cmd.exe	119
PID 4592 wrote to memory of 5844	4592	cmd.exe	119
PID 4592 wrote to memory of 5844	4592	cmd.exe	119
PID 5844 wrote to memory of 4032	5844	erythroph.exe	120
PID 5844 wrote to memory of 4032	5844	erythroph.exe	120
PID 5844 wrote to memory of 4032	5844	erythroph.exe	120
PID 5844 wrote to memory of 3000	5844	erythroph.exe	121
PID 5844 wrote to memory of 3000	5844	erythroph.exe	121
PID 5844 wrote to memory of 3000	5844	erythroph.exe	121
PID 5844 wrote to memory of 5896	5844	erythroph.exe	122

C:\Users\Admin\AppData\Local\Temp\virusshare\3\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
"C:\Users\Admin\AppData\Local\Temp\virusshare\3\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Temp\virusshare\3\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe"
  2⤵
  PID:1176
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Temp\virusshare\3\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:6120
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:5136
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:5580
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:6140
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5364
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:3512
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:1584
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5844
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:4032
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:3000
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:4452
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:1548
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:5808
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:3300
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:1304
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:5592
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:5840
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:1752
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:2448
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:1248
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:5728
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:2204
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:1284
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:1668
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:5640
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:1524
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:5240
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:5860
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:4580
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:1312
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:4976
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:280
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:3680
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:2196
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:1440
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:4692
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:4216

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\TROFFE\erythroph.exe

Filesize
64KB

MD5
4aa5734fe9c86184f931f4ddaf2d4d7b

SHA1
a066ccad76f3c63d053cd68ac8692d4f4acf82ac

SHA256
2e18ad3e470b97415beb2cdb8e3ef7510bad21f0a5add020a7f9343dd959eeaa

SHA512
7355ffd3fc59af49af1d57f5327c7442a12c8e5ddc6ec9e176cc27fd4986cd6182f5f6ce91f892c07029efcac37f90d4dd077b6bb226b54c40621b94987a044c

Download Submit
memory/8-72-0x0000000075270000-0x00000000754FA000-memory.dmp

Filesize
2.5MB

Download
memory/988-66-0x0000000075270000-0x00000000754FA000-memory.dmp

Filesize
2.5MB

Download
memory/1748-73-0x0000000075270000-0x00000000754FA000-memory.dmp

Filesize
2.5MB

Download
memory/2112-71-0x0000000075270000-0x00000000754FA000-memory.dmp

Filesize
2.5MB

Download
memory/2120-76-0x0000000075270000-0x00000000754FA000-memory.dmp

Filesize
2.5MB

Download
memory/2316-70-0x0000000075270000-0x00000000754FA000-memory.dmp

Filesize
2.5MB

Download
memory/2476-67-0x0000000075270000-0x00000000754FA000-memory.dmp

Filesize
2.5MB

Download
memory/2816-28-0x0000000002380000-0x0000000002388000-memory.dmp

Filesize
32KB

Download
memory/2816-3-0x00007FFCB21C1000-0x00007FFCB22EA000-memory.dmp

Filesize
1.2MB

Download
memory/2816-79-0x0000000002380000-0x0000000002388000-memory.dmp

Filesize
32KB

Download
memory/2816-4-0x00007FFCB21C0000-0x00007FFCB23C9000-memory.dmp

Filesize
2.0MB

Download
memory/2816-2-0x0000000002380000-0x0000000002388000-memory.dmp

Filesize
32KB

Download
memory/3160-75-0x0000000075270000-0x00000000754FA000-memory.dmp

Filesize
2.5MB

Download
memory/4568-54-0x00007FFCB21C0000-0x00007FFCB23C9000-memory.dmp

Filesize
2.0MB

Download
memory/4568-69-0x0000000075270000-0x00000000754FA000-memory.dmp

Filesize
2.5MB

Download
memory/4568-15-0x00007FFCB21C0000-0x00007FFCB23C9000-memory.dmp

Filesize
2.0MB

Download
memory/5016-68-0x0000000075270000-0x00000000754FA000-memory.dmp

Filesize
2.5MB

Download
memory/5016-8-0x00007FFCB21C0000-0x00007FFCB23C9000-memory.dmp

Filesize
2.0MB

Download
memory/5016-6-0x00007FFCB21C0000-0x00007FFCB23C9000-memory.dmp

Filesize
2.0MB

Download
memory/5016-5-0x00007FFCB21C0000-0x00007FFCB23C9000-memory.dmp

Filesize
2.0MB

Download
memory/5016-35-0x00007FFCB21C0000-0x00007FFCB23C9000-memory.dmp

Filesize
2.0MB

Download
memory/5104-14-0x00007FFCB21C0000-0x00007FFCB23C9000-memory.dmp

Filesize
2.0MB

Download
memory/5896-74-0x0000000075270000-0x00000000754FA000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads