guloader | 2e18ad3e470b97415beb2cdb8e3ef7510bad21f0a5add020a7f9343dd959eeaa

Analysis

max time kernel
299s
max time network
300s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
16/04/2025, 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
Size

64KB
MD5

4aa5734fe9c86184f931f4ddaf2d4d7b
SHA1

a066ccad76f3c63d053cd68ac8692d4f4acf82ac
SHA256

2e18ad3e470b97415beb2cdb8e3ef7510bad21f0a5add020a7f9343dd959eeaa
SHA512

7355ffd3fc59af49af1d57f5327c7442a12c8e5ddc6ec9e176cc27fd4986cd6182f5f6ce91f892c07029efcac37f90d4dd077b6bb226b54c40621b94987a044c
SSDEEP

384:rdP9JIA7uJ1wK2xBpHbVbl+NGYD90pSCfZziEKffhaekBfdReVwoGHdRsArr2rOR:R9JIqNl/SSrrpBfiIdRsorZucnjtsq

Score

10^/10

guloader discovery downloader persistence

Malware Config

Extracted

Family

guloader

https://eficadgdl.com/well/Omitted-Credentials_encrypted_6A17930.bin

xor.base64

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Executes dropped EXE 16 IoCs

pid	Process
2112	erythroph.exe
3864	erythroph.exe
4424	erythroph.exe
3056	erythroph.exe
4104	erythroph.exe
1924	erythroph.exe
1360	erythroph.exe
5636	erythroph.exe
3928	erythroph.exe
2788	erythroph.exe
1388	erythroph.exe
5560	erythroph.exe
964	erythroph.exe
228	erythroph.exe
5052	erythroph.exe
2380	erythroph.exe

Adds Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 34 IoCs

pid	Process
4196	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
4420	RegAsm.exe
2112	erythroph.exe
764	RegAsm.exe
3864	erythroph.exe
2312	RegAsm.exe
4424	erythroph.exe
4932	RegAsm.exe
3056	erythroph.exe
3368	RegAsm.exe
4104	erythroph.exe
4012	RegAsm.exe
1924	erythroph.exe
2052	RegAsm.exe
1360	erythroph.exe
6108	RegAsm.exe
5636	erythroph.exe
2412	RegAsm.exe
3928	erythroph.exe
904	RegAsm.exe
2788	erythroph.exe
2432	RegAsm.exe
1388	erythroph.exe
4860	RegAsm.exe
5560	erythroph.exe
4216	RegAsm.exe
964	erythroph.exe
232	RegAsm.exe
228	erythroph.exe
4644	RegAsm.exe
5052	erythroph.exe
3512	RegAsm.exe
2380	erythroph.exe
4896	RegAsm.exe

Suspicious use of SetThreadContext 17 IoCs

description	pid	Process	procid_target
PID 4196 set thread context of 4420	4196	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	84
PID 2112 set thread context of 764	2112	erythroph.exe	90
PID 3864 set thread context of 2312	3864	erythroph.exe	95
PID 4424 set thread context of 4932	4424	erythroph.exe	102
PID 3056 set thread context of 3368	3056	erythroph.exe	108
PID 4104 set thread context of 4012	4104	erythroph.exe	114
PID 1924 set thread context of 2052	1924	erythroph.exe	120
PID 1360 set thread context of 6108	1360	erythroph.exe	125
PID 5636 set thread context of 2412	5636	erythroph.exe	133
PID 3928 set thread context of 904	3928	erythroph.exe	138
PID 2788 set thread context of 2432	2788	erythroph.exe	143
PID 1388 set thread context of 4860	1388	erythroph.exe	148
PID 5560 set thread context of 4216	5560	erythroph.exe	153
PID 964 set thread context of 232	964	erythroph.exe	158
PID 228 set thread context of 4644	228	erythroph.exe	163
PID 5052 set thread context of 3512	5052	erythroph.exe	168
PID 2380 set thread context of 4896	2380	erythroph.exe	173

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe

Suspicious behavior: MapViewOfSection 26 IoCs

pid	Process
4196	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
4196	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
2112	erythroph.exe
3864	erythroph.exe
4424	erythroph.exe
4424	erythroph.exe
4424	erythroph.exe
3056	erythroph.exe
3056	erythroph.exe
4104	erythroph.exe
4104	erythroph.exe
1924	erythroph.exe
1924	erythroph.exe
1360	erythroph.exe
5636	erythroph.exe
5636	erythroph.exe
5636	erythroph.exe
5636	erythroph.exe
3928	erythroph.exe
2788	erythroph.exe
1388	erythroph.exe
5560	erythroph.exe
964	erythroph.exe
228	erythroph.exe
5052	erythroph.exe
2380	erythroph.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
4196	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
2112	erythroph.exe
3864	erythroph.exe
4424	erythroph.exe
3056	erythroph.exe
4104	erythroph.exe
1924	erythroph.exe
1360	erythroph.exe
5636	erythroph.exe
3928	erythroph.exe
2788	erythroph.exe
1388	erythroph.exe
5560	erythroph.exe
964	erythroph.exe
228	erythroph.exe
5052	erythroph.exe
2380	erythroph.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 4744	4196	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	83
PID 4196 wrote to memory of 4744	4196	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	83
PID 4196 wrote to memory of 4744	4196	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	83
PID 4196 wrote to memory of 4420	4196	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	84
PID 4196 wrote to memory of 4420	4196	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	84
PID 4196 wrote to memory of 4420	4196	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	84
PID 4196 wrote to memory of 4420	4196	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	84
PID 5044 wrote to memory of 2112	5044	cmd.exe	88
PID 5044 wrote to memory of 2112	5044	cmd.exe	88
PID 5044 wrote to memory of 2112	5044	cmd.exe	88
PID 2112 wrote to memory of 764	2112	erythroph.exe	90
PID 2112 wrote to memory of 764	2112	erythroph.exe	90
PID 2112 wrote to memory of 764	2112	erythroph.exe	90
PID 2112 wrote to memory of 764	2112	erythroph.exe	90
PID 2840 wrote to memory of 3864	2840	cmd.exe	94
PID 2840 wrote to memory of 3864	2840	cmd.exe	94
PID 2840 wrote to memory of 3864	2840	cmd.exe	94
PID 3864 wrote to memory of 2312	3864	erythroph.exe	95
PID 3864 wrote to memory of 2312	3864	erythroph.exe	95
PID 3864 wrote to memory of 2312	3864	erythroph.exe	95
PID 3864 wrote to memory of 2312	3864	erythroph.exe	95
PID 1676 wrote to memory of 4424	1676	cmd.exe	99
PID 1676 wrote to memory of 4424	1676	cmd.exe	99
PID 1676 wrote to memory of 4424	1676	cmd.exe	99
PID 4424 wrote to memory of 5940	4424	erythroph.exe	100
PID 4424 wrote to memory of 5940	4424	erythroph.exe	100
PID 4424 wrote to memory of 5940	4424	erythroph.exe	100
PID 4424 wrote to memory of 844	4424	erythroph.exe	101
PID 4424 wrote to memory of 844	4424	erythroph.exe	101
PID 4424 wrote to memory of 844	4424	erythroph.exe	101
PID 4424 wrote to memory of 4932	4424	erythroph.exe	102
PID 4424 wrote to memory of 4932	4424	erythroph.exe	102
PID 4424 wrote to memory of 4932	4424	erythroph.exe	102
PID 4424 wrote to memory of 4932	4424	erythroph.exe	102
PID 3188 wrote to memory of 3056	3188	cmd.exe	106
PID 3188 wrote to memory of 3056	3188	cmd.exe	106
PID 3188 wrote to memory of 3056	3188	cmd.exe	106
PID 3056 wrote to memory of 5948	3056	erythroph.exe	107
PID 3056 wrote to memory of 5948	3056	erythroph.exe	107
PID 3056 wrote to memory of 5948	3056	erythroph.exe	107
PID 3056 wrote to memory of 3368	3056	erythroph.exe	108
PID 3056 wrote to memory of 3368	3056	erythroph.exe	108
PID 3056 wrote to memory of 3368	3056	erythroph.exe	108
PID 3056 wrote to memory of 3368	3056	erythroph.exe	108
PID 4876 wrote to memory of 4104	4876	cmd.exe	112
PID 4876 wrote to memory of 4104	4876	cmd.exe	112
PID 4876 wrote to memory of 4104	4876	cmd.exe	112
PID 4104 wrote to memory of 4668	4104	erythroph.exe	113
PID 4104 wrote to memory of 4668	4104	erythroph.exe	113
PID 4104 wrote to memory of 4668	4104	erythroph.exe	113
PID 4104 wrote to memory of 4012	4104	erythroph.exe	114
PID 4104 wrote to memory of 4012	4104	erythroph.exe	114
PID 4104 wrote to memory of 4012	4104	erythroph.exe	114
PID 4104 wrote to memory of 4012	4104	erythroph.exe	114
PID 2088 wrote to memory of 1924	2088	cmd.exe	118
PID 2088 wrote to memory of 1924	2088	cmd.exe	118
PID 2088 wrote to memory of 1924	2088	cmd.exe	118
PID 1924 wrote to memory of 3924	1924	erythroph.exe	119
PID 1924 wrote to memory of 3924	1924	erythroph.exe	119
PID 1924 wrote to memory of 3924	1924	erythroph.exe	119
PID 1924 wrote to memory of 2052	1924	erythroph.exe	120
PID 1924 wrote to memory of 2052	1924	erythroph.exe	120
PID 1924 wrote to memory of 2052	1924	erythroph.exe	120
PID 1924 wrote to memory of 2052	1924	erythroph.exe	120

C:\Users\Admin\AppData\Local\Temp\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe"
  2⤵
  PID:4744
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:5940
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:844
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:5948
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:4668
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:3924
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:5720
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:1360
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:5212
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:5636
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:3464
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:2492
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:1036
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:4692
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:3928
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:2136
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:2788
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:4456
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:1388
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:5848
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:5560
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:1048
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:964
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:6004
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:228
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:2956
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:5052
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:2092
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:2380
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:4896

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\TROFFE\erythroph.exe

Filesize
64KB

MD5
4aa5734fe9c86184f931f4ddaf2d4d7b

SHA1
a066ccad76f3c63d053cd68ac8692d4f4acf82ac

SHA256
2e18ad3e470b97415beb2cdb8e3ef7510bad21f0a5add020a7f9343dd959eeaa

SHA512
7355ffd3fc59af49af1d57f5327c7442a12c8e5ddc6ec9e176cc27fd4986cd6182f5f6ce91f892c07029efcac37f90d4dd077b6bb226b54c40621b94987a044c

Download Submit
memory/764-14-0x00007FF89C800000-0x00007FF89CA09000-memory.dmp

Filesize
2.0MB

Download
memory/764-53-0x00007FF89C800000-0x00007FF89CA09000-memory.dmp

Filesize
2.0MB

Download
memory/904-65-0x0000000074C40000-0x0000000074ECA000-memory.dmp

Filesize
2.5MB

Download
memory/2112-13-0x00007FF89C800000-0x00007FF89CA09000-memory.dmp

Filesize
2.0MB

Download
memory/2412-64-0x0000000074C40000-0x0000000074ECA000-memory.dmp

Filesize
2.5MB

Download
memory/2432-66-0x0000000074C40000-0x0000000074ECA000-memory.dmp

Filesize
2.5MB

Download
memory/4196-24-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/4196-2-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/4196-4-0x00007FF89C800000-0x00007FF89CA09000-memory.dmp

Filesize
2.0MB

Download
memory/4196-3-0x00007FF89C801000-0x00007FF89C92A000-memory.dmp

Filesize
1.2MB

Download
memory/4196-69-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/4420-34-0x00007FF89C800000-0x00007FF89CA09000-memory.dmp

Filesize
2.0MB

Download
memory/4420-7-0x00007FF89C800000-0x00007FF89CA09000-memory.dmp

Filesize
2.0MB

Download
memory/4420-5-0x00007FF89C800000-0x00007FF89CA09000-memory.dmp

Filesize
2.0MB

Download
memory/6108-63-0x0000000074C40000-0x0000000074ECA000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads