Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
-
submitted
08/07/2024, 10:16
General
-
Target
3781240686f18f44cfb8397dfe462c164a00f0c4b08177b468129bc8c41a1f22.exe
-
Size
2.4MB
-
MD5
372c9047c2f9bc0241a64b506054fa0a
-
SHA1
a3dca1dc8b61381c1fca9f6951352aa5f6a2403f
-
SHA256
3781240686f18f44cfb8397dfe462c164a00f0c4b08177b468129bc8c41a1f22
-
SHA512
1ddc4dcc4e77ec0c147afe1606f50a989ae8cc8ecae67cc5fb122cf985b2aec84c4968fc2075ffeb0f666d1ca0669acef855e8e647e681a31dd1d5d70a0f13fa
-
SSDEEP
49152:vUlvV1PH2uIE3Hnj3d6Swz5+8gPNwvHTnUzHuC/yTkRT2VxLvgs:cp3P2xET3d6SwFUwvzCzTELYs
Malware Config
Extracted
stealc
Nice
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Stealc
Stealc is an infostealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 56 IoCs
-
Suspicious use of SendNotifyMessage 51 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3781240686f18f44cfb8397dfe462c164a00f0c4b08177b468129bc8c41a1f22.exe"C:\Users\Admin\AppData\Local\Temp\3781240686f18f44cfb8397dfe462c164a00f0c4b08177b468129bc8c41a1f22.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CGIJECFIEC.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CGIJECFIEC.exe"C:\Users\Admin\AppData\Local\Temp\CGIJECFIEC.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000006001\94b033821b.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\94b033821b.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\2c9d0eaa5e.cmd" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"6⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffd4dfeab58,0x7ffd4dfeab68,0x7ffd4dfeab787⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1984,i,4038478598035911475,10472495397107978202,131072 /prefetch:27⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1984,i,4038478598035911475,10472495397107978202,131072 /prefetch:87⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1956 --field-trial-handle=1984,i,4038478598035911475,10472495397107978202,131072 /prefetch:87⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1984,i,4038478598035911475,10472495397107978202,131072 /prefetch:17⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1984,i,4038478598035911475,10472495397107978202,131072 /prefetch:17⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4144 --field-trial-handle=1984,i,4038478598035911475,10472495397107978202,131072 /prefetch:17⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3080 --field-trial-handle=1984,i,4038478598035911475,10472495397107978202,131072 /prefetch:87⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4476 --field-trial-handle=1984,i,4038478598035911475,10472495397107978202,131072 /prefetch:87⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1984,i,4038478598035911475,10472495397107978202,131072 /prefetch:27⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"6⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x110,0x114,0x118,0xec,0x11c,0x7ffd4de946f8,0x7ffd4de94708,0x7ffd4de947187⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,12388211135726833868,7240383709006670277,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:27⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,12388211135726833868,7240383709006670277,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:37⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,12388211135726833868,7240383709006670277,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:87⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12388211135726833868,7240383709006670277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:17⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12388211135726833868,7240383709006670277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:17⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12388211135726833868,7240383709006670277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:17⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,12388211135726833868,7240383709006670277,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3064 /prefetch:27⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1008.0.567878732\1887277667" -parentBuildID 20230214051806 -prefsHandle 1692 -prefMapHandle 1684 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7c09791-4eda-4f02-b8ba-003de8dff638} 1008 "\\.\pipe\gecko-crash-server-pipe.1008" 1784 1d89140c758 gpu8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1008.1.1126619180\1498943394" -parentBuildID 20230214051806 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f306957-847f-4bf3-8863-8604cad475db} 1008 "\\.\pipe\gecko-crash-server-pipe.1008" 2408 1d884585958 socket8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1008.2.555303222\1955769954" -childID 1 -isForBrowser -prefsHandle 3436 -prefMapHandle 3432 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e3c8253-3219-4a9f-b42d-2b0d154711b6} 1008 "\\.\pipe\gecko-crash-server-pipe.1008" 3448 1d89454ee58 tab8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1008.3.240045140\1265050478" -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 3660 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {216ec230-6f00-4b3c-8122-9d92f89b78b7} 1008 "\\.\pipe\gecko-crash-server-pipe.1008" 3676 1d895fd3558 tab8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1008.4.405084654\338777248" -childID 3 -isForBrowser -prefsHandle 5068 -prefMapHandle 5100 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2347096-30fd-446e-8cc5-78f8b42c256a} 1008 "\\.\pipe\gecko-crash-server-pipe.1008" 5204 1d89821df58 tab8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1008.5.91828561\1083325715" -childID 4 -isForBrowser -prefsHandle 5432 -prefMapHandle 5224 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9a70008-045e-445c-8944-278022118a64} 1008 "\\.\pipe\gecko-crash-server-pipe.1008" 5444 1d89821ee58 tab8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1008.6.1442987936\1018479491" -childID 5 -isForBrowser -prefsHandle 5548 -prefMapHandle 5620 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {019c3933-378e-4720-ab3e-f6dc46dd4a8a} 1008 "\\.\pipe\gecko-crash-server-pipe.1008" 5540 1d89821d358 tab8⤵
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AKFIDHDGIE.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
67KB
MD551c3c3d00a4a5a9d730c04c615f2639b
SHA13b92cce727fc1fb03e982eb611935218c821948f
SHA256cb1e96afd2fec2b2b445be2f46c6b90db19c2ed2f0278f57f7490a299e88c19f
SHA5127af8ec3160e4dbae2c3359146c0a82c32a02697d332138c391e4295d00f49ed1070857a0afe16222c5cea1cafffc4d26df525543f187be43a59967df1e919542
-
Filesize
36KB
MD5103d7813f0ccc7445b4b9a4b34fc74bf
SHA1ed862e8ebd885acde6115c340e59e50e74e3633b
SHA2560ccaf58bb2aa430724873fa21515e5f3fbd875390288aade3823ec16962bc27b
SHA5120723baca97705968a068676f74ac01bd492dac94a4fba391de578b6357b79c4aca5412f564dc0ea7ae5b6145256c7f8f22e8a4823f41e2baf50d201ec073be1f
-
Filesize
240B
MD5a6407863db7618a512b5eaab3c9db05f
SHA1d37355dff052df9c21a5ff5f15ccee1c5851585e
SHA2564a653f3285752f89057c6a183da6af56762f1b2a465c37ffc87a9e34dc5105ff
SHA512582718f59c72011071f4f89383cefe05d710cc39c44e0191b95df5612dee0acd0523b1838e8029db9c7383dc3bca094535a154d764d61d4ad56077c50f66a5c9
-
Filesize
2KB
MD5251d58eeec0d6be7bc6072d28aebd4d0
SHA1b14073bc5457cbab94aa27475a85d001c0c9da0b
SHA2566be94c773300acbb78ce2e7f90a4a70f422b491b9dbb578b8ed50feabf316d04
SHA5129ff6d6898b70e8146b72d37352cdd09658ceadd071cd1be0ec45700f79382e8def0bf1550e0f3f017a4aee653454849babd5fc4bc9d184532487047e2976c29d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
524B
MD5e5915d11a91696e42daa938e6bcb1e2f
SHA1730bcfda7c69679d6e3805b7573f4de26949b352
SHA2568914fe40e25e30d1acb18e9c8a47a5f9a8b697ace5c2ccc77510c7bea1c29b73
SHA512fbd7ede0907ef8aed2202f7e5ce181a288c8137fcd30d8bafc42208838c32eaf0c85ab3df8683b465f9ac29f15f1987afbd6d0fcaa8e8013462de40b8ec673f1
-
Filesize
7KB
MD5ee90c2bb8f5841f61e053d4860024cae
SHA1805fcc5973b4a992879b528f875f0b0decdda28d
SHA25639fd8cca645dfb07211c5f790f6c94253ba1dff26f1820616b63d35f8ba47b71
SHA5121998dd3aeb1c041874652f259f85afbe3f6e95f5cf75f16b489795e57bffb9f2095377c18e1ce316566ef947504acd462d0551b928415cbd49b61af08d6e1fe1
-
Filesize
146KB
MD5b5a5dcfb8aaf771b982a2715aca8f306
SHA1fdf9e4d1c3db76188a04f0cfd8a6e09c26c25842
SHA256b93d8e376456e89c88124fb0450b474fb07efa92290fb53f1998178b77a4af0c
SHA5124bb7dec26ebd7bd8ae36ed7c748e0fff05aa9be6a4f147f57dd6a42444b55a9599cacaeb362bba54dc395637e10b414dddbc3c3f5fa5552203f9a4e1b1d5bfa7
-
Filesize
146KB
MD5e734789c30d2bf8b4201b95e9d996638
SHA1f1e0ebc8ec05a3f2697fb922280dbeb2a7fda2b3
SHA2567b5ef9619a39f6176404abcf775b620dd7a1da667a94ee3da08b4ecfbbddba25
SHA512d81df0bf97072ee6136682b1f3e3352062b53a3224d8c453b90515b786039aba2da02f9219bcc6dcc3b68b698a2e0ddab1c0c1712d62e52a79c92d154e7bcebc
-
Filesize
145KB
MD5e1cf2f176449c156e8c940c1e69638a1
SHA175d259c54fa09c21dfd5dac002ccf7c0b34bc8d0
SHA256b211451e8608a60ca627d4e0b0138607c9576a22833d610c737bfead01161fe3
SHA512d27947cbea217dba15fcba7c68295d7fd10987d4e475d4f246ea353468b56ca5bdbc716b7ed8b72b560fc9ccc5fab9c8d6cdcba87d0c12f017af8d53c96432ba
-
Filesize
152B
MD50331fa75ac7846bafcf885ea76d47447
SHA15a141ffda430e091153fefc4aa36317422ba28ae
SHA25664b4b2e791644fc04f164ecd13b8b9a3e62669896fb7907bf0a072bbeebaf74a
SHA512f8b960d38d73cf29ce17ea409ef6830cae99d7deafaf2ff59f8347120d81925ff16e38faaa0f7f4c39936472d05d1d131df2a8a383351f138c38afb21c1a60e2
-
Filesize
152B
MD5f0f818d52a59eb6cf9c4dd2a1c844df9
SHA126afc4b28c0287274624690bd5bd4786cfe11d16
SHA25658c0beea55fecbeded2d2c593473149214df818be1e4e4a28c97171dc8179d61
SHA5127e8a1d3a6c8c9b0f1ac497e509e9edbe9e121df1df0147ce4421b8cf526ad238bd146868e177f9ce02e2d8f99cf7bb9ce7db4a582d487bbc921945211a977509
-
Filesize
240B
MD57eea3b69fd7d76c54f609f64bb7e8018
SHA194bd94795b35407cbc2e5223a091ce8e457ceedc
SHA256686358925b3c9cd54c366376c623a7669d1b77b30e3acf76cda888f4e94dd538
SHA5122256a441aab57eae13ce8fb8210d5b292ec7572d1ac276d9de5da547e435c4764cc13cace39d0e0ac0cc9de3e2a68318ad09a96528f45f1382da3a79f2b49651
-
Filesize
1KB
MD5d3b52c653bab76d090c3ebf67e16a72b
SHA1fe24783daedd3299c1900642c77e009891d98a8f
SHA256c686427be2060ea233f08a9f5e2ab867146992d003b0a2e0e32e3c81d545ea37
SHA5122a72f001b7047c96204035b8b1b2d5982d2b863939588ab17de8d21bf317329335fa8f209a3d646762f44683c0a2b1dba665b7fb9e424b19f7acf18da283af94
-
Filesize
6KB
MD59625f8198f215e9bf73c15f6fbf0b825
SHA1a6eeccc197c6fb67ae6b042ff8625c54c7aea4d5
SHA256309296ea035b02f2c7cb1aba95d6f56128a57f1ad276112afaf38f038f0c286b
SHA51240cb97aecab0326acf4821760da8e09810c2b9c37e7ac5d242546f9260d49544d9d5dbe565628ab8f580f0194b1c6d47d170bc566d8bf09893bc4e77202d0e49
-
Filesize
6KB
MD5945c1696a8b0ed2bf5b03e68c7ebcdf0
SHA1882887b543f53266c933affa042ffc14bd7bc7c8
SHA256b64309cfd096a692df32db32e2fbd3b01629b59892341d0b4c42a6ae3727150b
SHA512b41ec1ff1ed3c75069c299e6eb2fa4e5ac13c901bb6b80e240b8e53aa7b3f31a11c762959bc63de8c53d075368f8230696d4382d0f2251aa4e7f6334ff892104
-
Filesize
11KB
MD5d1a16401b549c378e0cfe74f112f57b9
SHA162b293f32293b943cecac1ea3cdf06a7f60eb9bd
SHA25673add90bdab04f3fde4e889e56a8a92449257d34c2ccf7123d86b4ae9fffd426
SHA5120af8317ccec220f4948698c0aedf9009dfe70901fb836b189f7371bc4214ea7843c190e4a3ffd09c5e2d8858946c8b84243481a343478534842d3f1cf197a456
-
Filesize
28KB
MD5ded14b1085949db365eae284e9577fcf
SHA1e3040607435a7f6618030f9f38098861daed8cb3
SHA256522cb6338e9a41e053ee069983925d5e802c61b2f00873b88c98f21e6aaaaa45
SHA512a40274937313f12a6dc738b7ab779a5e56d1f0f347b8cfee133ffa182b4e90996af292af02cd23fda71872f1efc0faae2e7b1db0777b484590198acb4e70264a
-
Filesize
29KB
MD5d6097c19f0dfe6ba4af5a541cbf29d03
SHA1b73161d0a769de24e79a412a7c237f4f7fe59bdb
SHA2560011bd6469cdd2dd106aa1bfe4be83c95e36bab426d1abe1ac37ec45cad571c3
SHA512063d9665d250bc3b8e3788c61143219f8959b62ca3a020bc6515ff97057e56bf6e07617bbcdd1a59ad8d65fce71e014d6f5f4fe557d75817ed00b7a3c4e23870
-
Filesize
13KB
MD5e0793fe20fc2df835cb1670b5147e46d
SHA151026b9a9028a8530f984134541ea1c813cee0fd
SHA256f498b2f3af264df694b23ebc07b5eee69d8ddc1e04833172b4fa8e2d0545b867
SHA512d4c76163dbc7952a648818500f6cdd7dd588fd82aebbfb85fe58464365b0798a3012cafb555529c1593377cde8dde17f67d08e45b1c7cb6aab79651134a2d29d
-
Filesize
2.4MB
MD5372c9047c2f9bc0241a64b506054fa0a
SHA1a3dca1dc8b61381c1fca9f6951352aa5f6a2403f
SHA2563781240686f18f44cfb8397dfe462c164a00f0c4b08177b468129bc8c41a1f22
SHA5121ddc4dcc4e77ec0c147afe1606f50a989ae8cc8ecae67cc5fb122cf985b2aec84c4968fc2075ffeb0f666d1ca0669acef855e8e647e681a31dd1d5d70a0f13fa
-
Filesize
2KB
MD5c1b73be75c9a5348a3e36e9ec2993f58
SHA184b8badeca9fa527ae6b79f3e5920e9fd0fbd906
SHA256a75e65563e853c9fb8863bcf7c2103ec23893f31a42b9332042ea3f5f2d40ea0
SHA512fe6d1df55358ba710c25e0e6b189beca8ce991d65a0fcecefdecacd2b96e0802ea549157c1449d2853f0ab37b8e865ec70e51772d2deefe8238d7581c81bc4a3
-
Filesize
1.8MB
MD561ce43973f7cce2b561705e2c075d840
SHA13e4cc6785d2c26902699c3c800d40375b6ef085b
SHA256c59694f951c18c5b6af416b45e4c94049882904eced113e2415988fa8e241f11
SHA512bf68c402f73551fe3a3c476d392572b1fba61f52a1e3e68c83c0ba675cdbc77f127078481c7829695c1209afafb8eb9b2de909e252300a2288f96d310b25c9fe
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
Filesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
Filesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
Filesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
Filesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
Filesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
Filesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD5037cc5e0deaa531d56ef6ec90b3e76ad
SHA12d7d900b65ee57dd697a190417094cf580d4a8f4
SHA256bc035644ddd2ec73f8d57c2688c1c89ed2d6d69b38d9501e5f4f5722d1a246a8
SHA5123670421e0e568a173a491277508fb46a7e4cc800e7cd2813defac6578301ff269571e04c3695f28cf1729f4dc9b1ae9a9626e0f64e4704ee8ab36be88549cba5
-
Filesize
9KB
MD5174b1dbe2d73482c5d76fae62585e6df
SHA1f2d163beb1e3c26887feb62fb1b43adee769789d
SHA25679d5c8e22d9d0b147643b5eced076f13a3311328aea2e4fd221e55f2e47b1764
SHA512c5ea5e7642236b17eea669afc9f27d04142deb3b93b70b0e8514c84e66a74883d27cce64abb513ab6a686e4ef3eb4b40fc76627b31c73dd7411e04c377a5f1b2
-
Filesize
8KB
MD59c2ce03fd17755756fd00cf6840bf759
SHA1a734f76213a43889101a232ea2fd113f96f8b466
SHA256f896f4bf412205539246091de2f4cd3b35de99a47c24b993d0cd6d3f06588fb1
SHA5121e92c28b2705de0f57aa93b67c89cd3b1141affdcee9f93d9be23203e0df05323a8f8f04c8bede5d4143cf6764c5f19bf501ff5aef7d0fe09c63388c6333d14e
-
Filesize
6KB
MD5e054eecd3f9d479fcd215851b5f14935
SHA1a880285b4d72693b4de4dc46cd5249a7e00cb013
SHA2563a08e91586c5d2f68bfcc0f865de63094cd895700cb766674c85719dfce0b4bb
SHA512abb91afe7264edbb110f24e7073500596be6058f60d904b556a351c65773f16794e7ced5123da98c239f04ac574a3fced354deb5517b841fe6558bf895e0a1e0
-
Filesize
4KB
MD5380e3d7460759ce40a08b0d4c9997d29
SHA10dae5667b319d96cdd980a33ef52cde655fa3484
SHA256318a5b2ad1c4c5809870facd0f27c8c302d2dc59b68b53ed79bf291b7d60460c
SHA5126a43969b176b94868f0cda3e91b17f213f85134ea34295522e5579bac5a4eb959bca345f2a121c6915e2b25a5ceb7cefed68f0984e653c46951abaaef9ca3497
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
12.0MB
-
Filesize
12.0MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
972KB
-
Filesize
12.0MB
-
Filesize
3.8MB
-
Filesize
12.0MB
-
Filesize
12.0MB
-
Filesize
3.8MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB