Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
29-07-2024 21:45
General
-
Target
34534c44bf3ef4e864940a14e7a3ac79471743019f3ca4a4629a04c6a6cfe25e.exe
-
Size
1.8MB
-
MD5
443e95b6a5732f75947b6a4def6c86f6
-
SHA1
dffd07507b3d4d9a758504d3dd1b0f832822892b
-
SHA256
34534c44bf3ef4e864940a14e7a3ac79471743019f3ca4a4629a04c6a6cfe25e
-
SHA512
5bc0da13c16d7627a5db8a207abb8d287558b714e796f853f5609a9d91948523158673ca80f86983dd9751331c1419153653f3459989a3eb49dc1969c7321fea
-
SSDEEP
49152:5bUVhYH9OXb8gzOnYArnONMwJIDVcfvO1AjPIk:NURFCnYsON+DVcfvO1KI
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
dana
http://85.28.47.31
-
url_path
/5499d72b3a3e55be.php
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Stealc
Stealc is an infostealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\34534c44bf3ef4e864940a14e7a3ac79471743019f3ca4a4629a04c6a6cfe25e.exe"C:\Users\Admin\AppData\Local\Temp\34534c44bf3ef4e864940a14e7a3ac79471743019f3ca4a4629a04c6a6cfe25e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000020001\5b22d85a95.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\5b22d85a95.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AF6A.tmp\AF7B.tmp\AF7C.bat C:\Users\Admin\AppData\Local\Temp\1000020001\5b22d85a95.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"5⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9a849cc40,0x7ff9a849cc4c,0x7ff9a849cc586⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,9261796520094865993,560812550208809771,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1912 /prefetch:26⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,9261796520094865993,560812550208809771,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2196 /prefetch:36⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,9261796520094865993,560812550208809771,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2268 /prefetch:86⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,9261796520094865993,560812550208809771,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3176 /prefetch:16⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,9261796520094865993,560812550208809771,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3204 /prefetch:16⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4556,i,9261796520094865993,560812550208809771,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4536 /prefetch:86⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4716,i,9261796520094865993,560812550208809771,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4724 /prefetch:86⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1044,i,9261796520094865993,560812550208809771,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=844 /prefetch:86⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff9a83546f8,0x7ff9a8354708,0x7ff9a83547186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7715834371872572235,17269930146208783460,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,7715834371872572235,17269930146208783460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,7715834371872572235,17269930146208783460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7715834371872572235,17269930146208783460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7715834371872572235,17269930146208783460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7715834371872572235,17269930146208783460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7715834371872572235,17269930146208783460,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:26⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 25757 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a74cfe0-dfad-46c3-91c8-e755cd7aefc8} 844 "\\.\pipe\gecko-crash-server-pipe.844" gpu7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 26677 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {211803e9-83f9-47c6-839c-cee7126e3756} 844 "\\.\pipe\gecko-crash-server-pipe.844" socket7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3184 -childID 1 -isForBrowser -prefsHandle 3172 -prefMapHandle 3492 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e49dd1a-d897-493f-8090-882e7d7115c0} 844 "\\.\pipe\gecko-crash-server-pipe.844" tab7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3748 -childID 2 -isForBrowser -prefsHandle 3736 -prefMapHandle 3520 -prefsLen 22739 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77937c73-0478-4de4-a8f2-bddf5fdf49e1} 844 "\\.\pipe\gecko-crash-server-pipe.844" tab7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2824 -childID 3 -isForBrowser -prefsHandle 3900 -prefMapHandle 3896 -prefsLen 22739 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c55cf3fb-df9f-49a0-8e33-78201c19604a} 844 "\\.\pipe\gecko-crash-server-pipe.844" tab7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3288 -childID 4 -isForBrowser -prefsHandle 3216 -prefMapHandle 3188 -prefsLen 22739 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08476ae6-17f9-4290-8d29-3aab2b6b7a1c} 844 "\\.\pipe\gecko-crash-server-pipe.844" tab7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\1000023002\bd6876f590.exe"C:\Users\Admin\1000023002\bd6876f590.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187KB
MD5efedc80482b249d448d8939f4347dd04
SHA1b7abc85ad9cc52c264473493b28df8aad2eb0be8
SHA256144b0da90e8a3721a58d22b460b017854a11c308578ad7f5e3825361fa1cfa5c
SHA5125f4bb47ea65ebeb2b7f66a200cc42974a3a1e5cdcc16bbb0a851c4e11034da8751ff1fdc222ec426fafd73a010e3461fd84af9f4fc63a581f917748891b27446
-
Filesize
649B
MD5ba6db625e9dafcf70b717f45e76b0c72
SHA1b7e1a27566192fac009241c8a8be3bc6b43288ef
SHA256ec99c384478b09deb1b8baf6390ddbd72f8d0f8a9800cace50d01088e0321804
SHA5128b72b2e0da5f651d9b22f72a5e20e3a933e0eaf6d3acd7934377786be6e875d9720f171294532bc3f5551d3f7c7a97b20b3f1453dcb37fdc611b3e0ca5e73610
-
Filesize
288B
MD584d1bc2448291bf0ae6e7a2b8571973a
SHA1cf58c972e464dbe7b88dbaa09b89385bf965851b
SHA256e8ecc2b68b4d17741a1a619687b9cdced9555890d423854955eefad1f1d50ab3
SHA512e106e904106fdc603c659df73f18f2863db6a86ad389a3f3900f2017201fb29f01db481e840d76d51825b1581555e9b34efe0c771645e6066f4622f88da475b8
-
Filesize
3KB
MD5aeb03a531f7041cdcab04b370c69732c
SHA181a53cae5c3717dcaba7d2bf87dae945a87a8276
SHA256e48dc7a749bba98042eb4555cc94b74ba26b99170b986f9fd53a8df5bbdc923a
SHA512362841942c2ed9b55effae6ede08082e911737aafc91f5bbae01722c06b94069090a1a6110b1ab15de7ce70e06d46a639b90c6417b66bc32bafce4d841d05a20
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5985c7a70b7793358099875c87f29f7fe
SHA1d972633afdb4d142af389c42c2faaa41307a343a
SHA256cba62c911db449cf16c4316ba718df27d0640ca1d9037b504fce66dc11c3b469
SHA51270c0d2796666e38b600f4dd44c407550f34191fcf8e44b1c70332df8d83956dbc7720dcacccbc8a7397045d96a6514566100845bd3c412ac7145cd79691456d7
-
Filesize
9KB
MD59282b652bc43336bf2a5537a585cf37b
SHA1a560095b2591e19b29c0a82cad3800962c14f1ca
SHA256bad1878af602b08edf0b45c745447b549d679d6bde4616b7fc808777235970c2
SHA512b140223aa4f815a557a056ae9eb8522d1eeb985bfa9c13bddedf81a52d72af3cbe6559a7ec9105ae7bef91234a3946778aeb03b865ad74f13416d6679e85a940
-
Filesize
9KB
MD5645ad91d5f54a11497a940f219a6baa0
SHA1cd715759801671a449feadf75a5f1a2e230fc57f
SHA25612a21987134bf4d468906f7e202566b4e29879de113ca0f76f1314f2ef3dc2ad
SHA5125cb9f5c45cc2220bb70bdea09032e4a4befe3150c7be0f29b3aa3cf0c70bff7b4e2a6873314474141df58fb8284dc9b7bcd91882ffc85123365451316a5627f1
-
Filesize
9KB
MD5ffb6b6775b56dfd4fc02fb8c8b39bf70
SHA1d0a5df23a12739f6b6c8187c0957dcdb2254fd2c
SHA256b57111b9a66e65c236ec4aa756da7babaf5e29c9ceac5c894641c9c90c2cbf56
SHA5125085fb487604ea2e8de7b387d39e1d1ef582f5f51bda36b17c3ae4e8caacae4a0e64734367b2f1b28ea56ea03e5d87a0f25133e19b60f5a7c743ac44ddc831e3
-
Filesize
9KB
MD53ebbc1bcaba7b81e5f97a9b44eb2fd38
SHA1ad304ac98c745a6595a37424b0a15a37d9bfd740
SHA256e83194658c81a7651cb4318fa1deedd8195cd555746086a08e753e137be08b36
SHA512cb376380e12aab3ddc772646c4143814ae99855e51d93fd2630c932ef03b2960e27c59413580585362fda7631c6fb8536c63a376786dc6c1b8303c73c368aee6
-
Filesize
9KB
MD5bae4623ec324c23fbbb71416c1117937
SHA1499583d63b41d65a163b1c405b39155b7e5419b9
SHA2566480b435f1b9069c2c65f8765bd23d10783b9da12f8d7bc88fd8913a0058ee5c
SHA51247605abb58e45512d25931bf6bdcac708cef7f5ffd8673836bc49352a0065671c93fb8d8e2d2f49f56670087cc7449fa5343a472adc34ee39f9502661cf32760
-
Filesize
9KB
MD59a43c029abfcbf733048c822c8e15280
SHA1d0845bbc2ceb9306c6d6d180232619169018dec2
SHA256f09d66f905c2dbf4016cd41f0c70253080a5f7c51ab179eda8e72b6690cdefae
SHA51240dbcd0aae73cbe759f413d3602a26b9ce9358d3a13f36e7aef0603373e4d506e12c236de90d3f82729e8bc8d1d72dc250ac1bf3cd8ccaf8b483b0c345b509fe
-
Filesize
9KB
MD51e03a5d3b0b1ec1d6afc45a6ef58622b
SHA113d2bd15373445ca5d3f3c2563c8eb9572dca262
SHA256ba4ee1910b8a8391b7b2d0546b268e33e080b4cbee9dee696d85c6735634ab16
SHA51248a8a8078158208d62aadc3b4af44b504fb5eb9b2957a6e52c6492475e297797e2edb885e4039728e35134b79779c57422eba58ea0bde42ae3fc700d12fe608b
-
Filesize
9KB
MD5fff7688a22b5d0f7f3052eb5cd9b65b7
SHA15f80f36851cc29d4759e3da4e9e273fe6e9434cc
SHA256be01b33e1812222f01e1b5523ccaf09c48ab07ceab9c27d4065d5341b7c57af9
SHA5123e07d2432ed2ccfca4560c9f430705a5b902a8e3db3355e7d97b1fcbcc0c216f51954d07b1aedd8f0df828906d9adfd886e3d49abbf0574da85f4caa64cae158
-
Filesize
15KB
MD5a38eefd5e50ef25b044a35d01e96a2fe
SHA1c8624657b0e323ffb2d8d8bea8472684fbfb41cb
SHA2562518fe64c4fd31f4037cfe1002c6b472310225a86dbe38be68006ff22c40dce6
SHA5128c374fa4ba39bcfecdc3e28ea2a0c8d545da68742df16a936ec75c96e22eae0e6b20f88b0f24fe8f8caecf27a6d169517822f14fdb7835584b7d1e2f3bb3bb25
-
Filesize
9KB
MD59987d6ce72ed6c771c76f04eec4f430e
SHA1635a129ce8c1cc4e4d571e34e261afcf9fa81fc2
SHA256a1a75b65f3f8e840c68d79f848636a25e7003b3a2c5504a7488831e455d031b3
SHA512d80882919298bfb75422640542d0146fe1d69ff2f37c3b953ff8f6725f756db8040308bb8db20397473ec45c4d4435211d41290fe021a02384face90cbd2169c
-
Filesize
189KB
MD57afb20d02385acf31e8a213821451b8e
SHA119b78d4ef80c0da29abce6285bb23538f5a2ccbe
SHA256e0d4b18d676924c6ddb70ca652035f1933dbe520a0a05fb6bf9a7247b9367151
SHA51251403ccfcc40826b8994e66cb637df909ae45071e49ddead901607500183724fdc833374e2a0abd70d7191a8f42ec10163bfc6f2cb866af16123d48f31fd35a6
-
Filesize
189KB
MD5d9a7822ecbf56ef00b03aed6a68276dc
SHA1d1242a9c6df9fe6f89ec21d692677709cbb03422
SHA2562d46b33e15b236e0eeb7faa91aae6ffff47ece567f4d201983a229d027c99cfa
SHA512b09d0e3f948f88bc643887c6ee0ef6f05780847d5fa21e9339dca48ac4d9cf9d9db939f8cd692ac22f8dfee58e5fdf146ece9051d200c6d964d3e982056362b7
-
Filesize
152B
MD554aadd2d8ec66e446f1edb466b99ba8d
SHA1a94f02b035dc918d8d9a46e6886413f15be5bff0
SHA2561971045943002ef01930add9ba1a96a92ddc10d6c581ce29e33c38c2120b130e
SHA5127e077f903463da60b5587aed4f5352060df400ebda713b602b88c15cb2f91076531ea07546a9352df772656065e0bf27bd285905a60f036a5c5951076d35e994
-
Filesize
152B
MD52f842025e22e522658c640cfc7edc529
SHA14c2b24b02709acdd159f1b9bbeb396e52af27033
SHA2561191573f2a7c12f0b9b8460e06dc36ca5386305eb8c883ebbbc8eb15f4d8e23e
SHA5126e4393fd43984722229020ef662fc5981f253de31f13f30fadd6660bbc9ededcbfd163f132f6adaf42d435873322a5d0d3eea60060cf0e7f2e256262632c5d05
-
Filesize
216B
MD58f918bc4ce217dd0322eb9e8e089197a
SHA1e993b103a4ee2fa32bce7b566fc06f866dd29a15
SHA25655eabaac648e7e8356a8459ddada689d8e82a9b8eb6c6296e58500c8af8a05cd
SHA512dadda9d6ab1375677f57175a55ab8098f0762767248fbd0f61f5e8e41a55ff47ad5c1f9251c6aa74743c7ec97b5e478e1c0a6509ab706eb94e9f1f1c127b9754
-
Filesize
1KB
MD5614aa85c6cf1ec96112a47ee25377935
SHA14d33d94b3f9b0956177435b38958396873d114cc
SHA25646ad1ad1681ef713b9f8e6269013abc1eeedfc941456d81c35c7e401a8be87a3
SHA5128766e21dee4ef50349f417eee6d265b86382b7c9d6ce3b28591396763c4671d93dfe33682825a98fbfc65be4f290326cf2f67c2fe34b9039adf293e39a43afa0
-
Filesize
6KB
MD56ed34f2be3054346dff866529b47f318
SHA17901629fc3f6b63f59cad120df9d342d81f38132
SHA25650793c867a00ec13c2a48d0309145655bca55ba9d8c96c02c71d843e681f45fc
SHA5124e0dcbce1edd58efc28ffed127f862ee44d59d1ebba37d05879ae8dbacca5ba15725a14d9faa4e870155b846f4ddea9bc046b86345737dde7ee72f35109f5ee3
-
Filesize
5KB
MD52dc4b03162e5aebfd9fdf5de35d51d51
SHA1b7cb347beaf56b230425f0e75487c569890f48e5
SHA256f160a5d1e0fc2a4002de37bdb09409b73dbf544430c7d1b9c085e5371e0363d0
SHA5126a46417a614850410ab988f90c1282d181186e8989ba8c0dc30028dd10aca8c1e52a3dffc59b80666a54782e119ec209aee7182370992d54317f0a5958a31ff6
-
Filesize
10KB
MD576aca8434e91d885e81b08548bdc3a90
SHA142003de8527b96e857dce11685ab09e579b331d8
SHA25639cb7de38b673162a5bea866ea39d34c857b37fceccbf4578c3c1c95d2d73cad
SHA5121dbe6b7bd9ba206fd23008bb310308e721123ab0da0a5ca580c4693ac61fdc2673f9e68e4654d5a787a6d49711b38a24534c4da7d8860465dc9b78e498284332
-
Filesize
1.8MB
MD5443e95b6a5732f75947b6a4def6c86f6
SHA1dffd07507b3d4d9a758504d3dd1b0f832822892b
SHA25634534c44bf3ef4e864940a14e7a3ac79471743019f3ca4a4629a04c6a6cfe25e
SHA5125bc0da13c16d7627a5db8a207abb8d287558b714e796f853f5609a9d91948523158673ca80f86983dd9751331c1419153653f3459989a3eb49dc1969c7321fea
-
Filesize
89KB
MD5b95e20a48bc237090b1d624c6bf32730
SHA1678e81b52fb835a21c5d4f951020a8f395ffb924
SHA25637b7375232555b4bb0262d745b287bde1003733d16aef38706d8e4ed451e1821
SHA5126342a40886cdf1ae85d1cb0211526971aedd291f133f79d48f1ea9a44d0b264324d7aa8c71819113ab9aa164fb7ec731b60da1cf00a55902fc032ad072101186
-
Filesize
2KB
MD5de9423d9c334ba3dba7dc874aa7dbc28
SHA1bf38b137b8d780b3d6d62aee03c9d3f73770d638
SHA256a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698
SHA51263f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
8KB
MD5f1d0ec6deedee0283cf50057dc3c5e14
SHA12e8bf5f77172fde22da88d5bef78c1875b837651
SHA25634b81e8145acf92b51ca36a7c16c483124cb9eaba4895e0b2aec1da20d01cf59
SHA5122814ff0cf66a1bd068ea74d2a53e90751c7cf31413e018fd83be67d9d9a4548de68b27a558da6dd0cfb96d0b727230ae8357849d12c37dedfa62d39f501c92b2
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
9KB
MD53c8637e458063e0389e9ad25c53bd95d
SHA19c61486dd9aa3ee42472c53209c1ca1c54dcff77
SHA256d8430c1ab413e3adf42a8c52ed27630af227c3d00db7bc530a79a8de50430bb4
SHA512c37eec1bffadcc56d80808219fe07e501be27ecf8a0a8424dcf3154068c8c6969bd488fab90f9ba0c537f4f3e40dea869ea16bda031fb5f5ea3b804eafe0918f
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
8KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.3MB
-
Filesize
4.7MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
444KB
-
Filesize
444KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB