Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
02/08/2024, 23:12
General
-
Target
44b840309d763ca08dc04c62daf30cdf9b282a990ff52572591eb0c004a44b34.exe
-
Size
1.8MB
-
MD5
6b1be5003973052d34deb0f0b6c0ecd5
-
SHA1
3d47ab3e4d475097982a56686ba3298982f8a225
-
SHA256
44b840309d763ca08dc04c62daf30cdf9b282a990ff52572591eb0c004a44b34
-
SHA512
9e2006a743a6f401c42f37f0253a105b7ef0814a5c1667dbe28a1f395f80e788afa20159132b90477d89199c4255d2b56b2a1b405ff2a1ff3c2a307a6fbd9971
-
SSDEEP
49152:wwDx2gHYSoASYs9VCRpMGvnnonwe6smtZq:wwDx28oA+V0JvCwfsmtZ
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
default
http://185.215.113.24
-
url_path
/e2b1563c6670f193.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Stealc
Stealc is an infostealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\44b840309d763ca08dc04c62daf30cdf9b282a990ff52572591eb0c004a44b34.exe"C:\Users\Admin\AppData\Local\Temp\44b840309d763ca08dc04c62daf30cdf9b282a990ff52572591eb0c004a44b34.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000020001\e3461d93ff.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\e3461d93ff.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D6A9.tmp\D6AA.tmp\D6AB.bat C:\Users\Admin\AppData\Local\Temp\1000020001\e3461d93ff.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff0789cc40,0x7fff0789cc4c,0x7fff0789cc586⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,4196228694190191716,5083064153131197182,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1916 /prefetch:26⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,4196228694190191716,5083064153131197182,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2184 /prefetch:36⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,4196228694190191716,5083064153131197182,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2264 /prefetch:86⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,4196228694190191716,5083064153131197182,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3220 /prefetch:16⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,4196228694190191716,5083064153131197182,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3172 /prefetch:16⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4652,i,4196228694190191716,5083064153131197182,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4396 /prefetch:86⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7fff077546f8,0x7fff07754708,0x7fff077547186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,4832242786766363227,2911109949320860128,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,4832242786766363227,2911109949320860128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,4832242786766363227,2911109949320860128,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4832242786766363227,2911109949320860128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4832242786766363227,2911109949320860128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,4832242786766363227,2911109949320860128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,4832242786766363227,2911109949320860128,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 /prefetch:26⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc9fd7f4-8f37-4b47-b764-d0845bee8e05} 1940 "\\.\pipe\gecko-crash-server-pipe.1940" gpu7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61ad4ccc-df61-4db8-ad19-d278188741fb} 1940 "\\.\pipe\gecko-crash-server-pipe.1940" socket7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3436 -childID 1 -isForBrowser -prefsHandle 3324 -prefMapHandle 3320 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6dc21b39-1286-4bda-bc98-03c0b4a11d20} 1940 "\\.\pipe\gecko-crash-server-pipe.1940" tab7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3248 -childID 2 -isForBrowser -prefsHandle 3208 -prefMapHandle 3272 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4991be4-3374-45da-acd0-e96cd0f3a8d9} 1940 "\\.\pipe\gecko-crash-server-pipe.1940" tab7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4124 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4196 -prefMapHandle 4188 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf9f4803-ce59-44d4-90f8-f503d8a71aad} 1940 "\\.\pipe\gecko-crash-server-pipe.1940" utility7⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 3 -isForBrowser -prefsHandle 5508 -prefMapHandle 5516 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68aa00e1-eafe-4f6b-8c73-baa25da5dc26} 1940 "\\.\pipe\gecko-crash-server-pipe.1940" tab7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5652 -childID 4 -isForBrowser -prefsHandle 5656 -prefMapHandle 5660 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38a0b36f-d2c0-40e2-896f-d88629d48e23} 1940 "\\.\pipe\gecko-crash-server-pipe.1940" tab7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5860 -childID 5 -isForBrowser -prefsHandle 5936 -prefMapHandle 5932 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7768012-6b38-4423-815a-c35ece5d250b} 1940 "\\.\pipe\gecko-crash-server-pipe.1940" tab7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"3⤵
-
-
C:\Users\Admin\1000029002\31fe3f420b.exe"C:\Users\Admin\1000029002\31fe3f420b.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 13724⤵
- Program crash
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5692 -ip 56921⤵
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD5d14febd6f1eb07795373d3ff7bf126d3
SHA1f15145a0d33d30af965a3d1d8fc5f955d80e8ca0
SHA25682c53ac3817d5054c2ed6161ce399eef2cb5dd29217eb2f45e84b95cde126e91
SHA512487605dde1a201c67212679db8caba0bfec1985c586f1bca35b7ed25f5c34362dba73c113d3e412bb0eb047020ad7521d6322f6172904cd789fc6646f4b31c05
-
Filesize
264B
MD5b715ce0abaa08958adc992e68cc86958
SHA155e15780fd74e34138c6dbe27ad7a767c7321458
SHA256e92ee46ba356db971941157920fa5bbc4f5c90ddff8d1669f11701a78412eee6
SHA5121aef662dfa97c573103005e2f343c340d83a053efbfa97ea4392bd589c6db0b917b6d51f04446cd51cde0cfff368099c6321803cb9ab928301b4fd1769eb78c2
-
Filesize
3KB
MD5441cf2bd093d1a3e249e42a989dbe5d4
SHA12c3cd6bdf8d76df5c5738df6a166fa4670dce31e
SHA2561d87bdab42b4d89e0b4d00e310904f4115c885256a9b2a5ef4d9e32d2006d347
SHA5128411b127150f1f7b7155071158bbe1637f4cebeadf930576325971773758f396a0251f1bfe7f39bab957727c58f19221fd73df62a55c520916da58a0aa0db874
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5f12600c537cf903723bf1d212d02d695
SHA145e07a06711b5f57d54e008da931993e17cf952a
SHA2561bd93281b9b5dbc54298ac6bee3cb0bd29b2e46bfe667011f8944b929fbe5f3d
SHA512bb99e32b1e8e04f51fdfa4dca66caa98254481717b1becdf24fedcf6c7c9c51bab668f4dfe611d98a6e750fb32dfe911d4a34bef11448ad65a64847c28e996ff
-
Filesize
8KB
MD53eafb9ba18efc4e9a7610bcd7772ae25
SHA1d65ba704d177c9949517a0f6801bd98209bfd017
SHA25648e9dd31eac0ee26948a26f7bb57827a8507df2a1a592b90ccecd428f492730e
SHA5124fddeec91f9600b059167fd6a76d664603445196d996750b5da1fb63cd6d419b90299b2d7def8f189bd26359fe4bfb3932d098ed73abb1df8739962b7104a4ff
-
Filesize
8KB
MD5aa320132a4ef61ea22949701e7307b83
SHA11c7c1e6c1fa2af648758f3877c5fee079dee5585
SHA256011551213cfe51aef8d90ef90167456d36c330b161ebcb11ebcce2e7a6704819
SHA51279a5cba1a0130719f1daac4600f7689f7f6516396f5ae8a89d788b41059ed937e84951269cc2a768315cda5171f44a5d87ceff28f610053a225986bdf7d15d56
-
Filesize
8KB
MD535bc786af572fcf9a95b317690f82380
SHA125ee7752c1e226f78fd751fed022a5414cb07360
SHA256e2e48d84183b6d276ad4b05c10617fc8b389de4672c1b467b2d1d6c4bd7fa985
SHA5123998bae7dafd492dea7ae5ed2a55bea818c5d1f1d02dbb86572050b559ca33c48e15caad126101346650c1e68e21e24199581cddad5c106338d8f87ce7165897
-
Filesize
8KB
MD51789694e1836cc1e291dacd98cf1713c
SHA17a0743b57a9ee11abbc4872843fe5cfbf8964646
SHA256d5e94337858426de41c21de4eba3cc9642680dfe2d056cc6884334b26a31ff96
SHA512c4094738b14b013100ddcc56bc90a5906c7808f4178747225baa914b755b5ca6803075aba557323730e96f09ceb7114261b1acd84381d320d44662e1bc5d227c
-
Filesize
8KB
MD522d5f81f0a591096648b4439b78c472f
SHA1dc8583573c38aa282c53d66c6105e4ddea120b63
SHA25674b840c2538664b3ae35172b033d090e70d806904b5f3b612e0f1dd40baee042
SHA512c5f904338c7c54703e746d3e0ed9929f0dfe19d4b26b3f8cbe38a69af6566cdf9a19fd92fde7f72bb340f3f639972cfbc0c24008065c349c2f944b35e1011599
-
Filesize
8KB
MD5f3a1e5c4716eb62d13adab7b9e607873
SHA1681d854eb5c9c9cfb12ee2b2b1d3066722ea686b
SHA256bc661d2a9e16c0e962f4c47c76158ac44b5a0ff16cbf118ce395e2a68ba0bcfc
SHA512dafb77ee6114705521144635706da41327981aa765c9f723982b59d3d837e1ed70c031e34c5ebb10783c1ed69cdabb747a86bbd88dc4a3405f6d7a446a5b3db4
-
Filesize
8KB
MD5aa8f679dd452d807fa3abf6cc519261b
SHA107666f60788982b5e006006c373b3455765917fc
SHA2566a8a98bf2f1d4ca6a510ef13209a70722b08d18daa9dae121eaef4add20ecca9
SHA512245de7263135780b00a03c6fbc77a57e8f0cad42ae63158cbcf8e65c310056a4a721c6b60edce158914331d95a83ac8e54512cf908d00d6676a06ed02b7ea650
-
Filesize
8KB
MD5fe5612250104a5f7f8f02cc5c8584eac
SHA1881cce012f15c3e347a8dca63eed71fe058b5c53
SHA256799026cb356735bb4e6fd4a9c778c7ead86f18ca397295a11aa516c190b25c1e
SHA5129185560978386f650628da424fff252fdd12835da79f0709f890f31bb5c71a1a07f191c9e3e169a997f1e90421c6ceda171e7cc4fead1734a21ae8f3317f2c16
-
Filesize
99KB
MD5d88277ba0b68f2c8e6c5f6e4729775ed
SHA1466f56cc4a26d8bb9cd741c00ee9a41ec8d5058a
SHA256aecb63dd2f2d50243ec729b14a709f9080c096f2776eb11682fefa3f94572a8b
SHA5120190b258185a915460cf971890458771917fb9b445b132b67beaa7b9f0ee26594cb54c35b53719bb48f374cdc91238a6569edb12082785d59924cc7ff6006a35
-
Filesize
99KB
MD5ded279cfd0004121382324b2e750f9e5
SHA1503e89a173214b90f5d70d4c29c91762f834559d
SHA2564b51fc66fba41a2e3804c5db65505ddade0e5fffa93c138dc02047bc205103fe
SHA5125f596917d9607278dff89edc20d90d34bbae704d77cdc7d8168ea26d77b55e1dbecb1fad9c29d83c82ecd3a19fe3c4dec4ce909ac90f0584b09af1fbad0e03f5
-
Filesize
152B
MD50446fcdd21b016db1f468971fb82a488
SHA1726b91562bb75f80981f381e3c69d7d832c87c9d
SHA25662c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222
SHA5121df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31
-
Filesize
152B
MD59b008261dda31857d68792b46af6dd6d
SHA1e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3
SHA2569ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da
SHA51278853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10
-
Filesize
1KB
MD58ba703bf7cbd0c3ff7db283db9a13912
SHA1f2480c0679e5c81b214cd8142d1af06658d9d10b
SHA2565a2e55b103d3eb37ebc5c7a6217e0d5e1bb186f8cc51621bf2fb67afa544c32c
SHA51220cc816df49511044c108119089df48c4b861d43cb5059e6b5a3b79bb1375e307a4a7abedb8e7079c10c560d6b842ca5aa5bdf90a884c4239cafd718ef6abb82
-
Filesize
38KB
MD56cdd1833d5b7bf4d7dd2f4dac5b6a08a
SHA154ae217a93901471ac46fb4d3ef81ad0d4571c8a
SHA256dd3d51cbc6460eaab9f3d7af15c7bd23f76cb3889ac65acdeb33a0575532f0f2
SHA51247f5433c2916c84c28a8f48ea86150ffaf131ddb616d39e6d529fb07ef3fa8ade33bd8633fe3e015a6fa0b068d3e6a5a1cb69fe78ce0dbd3f2a8eeb0b61a8aef
-
Filesize
240B
MD57a0b06cf75b825443e1a30c8db0db7e6
SHA1d8a96545dcd907c002984ab34641a84093f06be5
SHA256e5348d9b6c7c5dcf2d66529ea541be10922f0a9577f7c6ca17b9b137eae9bc2d
SHA512e4f28334c2889f5f382e52ceed26eaefe587fd399ba02565b9f62d8b3a0722d8545d7da7eade9f7d4570cb71244e06f201e15ac812f6d93df2fdac5028f97f30
-
Filesize
6KB
MD549ee4cbc0fe14f2b8c61c49fd0340447
SHA17ffcd5ed11eb0086db0c1c08109320abad240b01
SHA2567028d9cdef94ec9d90f559d74081e387cede85c62eac775eafdd46afacf4d936
SHA51209b80bfb2951d58d1808aa2b183d396d3a7f9183bbd741e9ca6cb2aa09b2544ee6bda060855ff2090a235f413c4eeb96039b466c357f3f3b28abf1ad20960d19
-
Filesize
6KB
MD5718531ef84fbdd9f1f740bab9dc1b6a9
SHA1b242b1e4f4d3a1831827603262f7dab87116deea
SHA2564897b861684cbb679a5bdeb23da6d1eba2d4322a9284a4ede1984efaa45f5b75
SHA51298254f69bb1df0d89c042ecc281b0ec79965d9a800c1aacb1e56431640855ccde8f6c25723f3477ec12820ab9f4025c0df108ef0faa3a5bdcb6b14c21e1c6638
-
Filesize
10KB
MD5a080d92b95565e1b76f5374547b8bb44
SHA149176ff174056e36a648a9da567479651a62ba44
SHA2564e9d28d01954449507ee2aa72259c438cf1d95fe199093f19ef987d24b87ed67
SHA5122b7232ad674d9a7fcc60d942f9fcc740b35215ca53ebecfe76bac79dd919a5d951f6c806993e27f07b4760dca3299435d297285d20a0c161359b6dc7d55afe52
-
Filesize
18KB
MD5a26cb895d7935b5345e1144ff9a276b4
SHA105bbb1948c67ab37d157661d169834bcc9b1ae7d
SHA2565979e77510450a881e513a056ad279f09662865fa6153047d1ddfd6f3ea30936
SHA512a954d2d130ed73a6f873e66dd9a8975499bb31e8a7ab08902df6b95c530b0c92c6994a455f642d005ba879ba04e42d4ffef4af8922f5da3cb43dcd55df4a5b06
-
Filesize
13KB
MD5c5194851cca280dafd937db1e1d1c773
SHA12a5783c0195eb39b2130f8e323a59dd9cf5eab83
SHA256a530bb00e5b56ee1aa7c0c947541fa74cb95505d7013d64397d36551d94f194b
SHA51217ea4740cdc2a0764fd2cbeb1edf87711b6be5e049da2f88f09c90bd55b43a1e795104e1ccb2e9b9db85040359803a77d25a7eb09f4ed9e9209e1413e0ad7c05
-
Filesize
1.8MB
MD56b1be5003973052d34deb0f0b6c0ecd5
SHA13d47ab3e4d475097982a56686ba3298982f8a225
SHA25644b840309d763ca08dc04c62daf30cdf9b282a990ff52572591eb0c004a44b34
SHA5129e2006a743a6f401c42f37f0253a105b7ef0814a5c1667dbe28a1f395f80e788afa20159132b90477d89199c4255d2b56b2a1b405ff2a1ff3c2a307a6fbd9971
-
Filesize
89KB
MD50726d43cf85d986897d078ae49911a9c
SHA1a26932f5f78197872e5dfed717a8ff29f08517e8
SHA25667f011fb576e931d37dd6ebcfda52e4ae4fba59f2831ccaa1b649fbdbde78808
SHA512320c2be79607f3bfe2c56ae986b8ff60d20d6e688b8207183a91c4339a787e338799017c51c0ff2755c6fa5e7fab08ee06429cbe096adacf9f7de2ef2e972e0f
-
Filesize
2KB
MD5de9423d9c334ba3dba7dc874aa7dbc28
SHA1bf38b137b8d780b3d6d62aee03c9d3f73770d638
SHA256a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698
SHA51263f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
8KB
MD5fbdf9c518e67ff4d26ca2f0e077779e2
SHA1ca45ae10832b681aabaaa140cf922fb9a2ca2270
SHA256f786bfdafc4740d300aead3007975aed917663903e786dc9424177e82b534109
SHA51223f4ca4d9f222be8ded224a7ef3948cdc7f67d8947c07c5bc53a425e6e9634c3e07a641d93f0d7ad761034ed587600c731606ac859b65a532e76d96bab161518
-
Filesize
12KB
MD562c69eae6da077acaa44708e83602a33
SHA19a4d989227929d55845975173bd1b5fac51ff39c
SHA2568685dbc00ea504fee4aeb746392b624b79d2971947897ec2f3116c54e4517bbd
SHA51223c69efdd7162036c512bf3efa779604d2807728c78dbc98c75bd76c8f4b6deb2e1e14ea5db8b9b6e4f987c7d38da248556c77939a95a59e8a59b5b178665afd
-
Filesize
25KB
MD5c7d629ee9e0d179c62505b0180d1690a
SHA1295ee6ddd52ccb7bf7bae0313c73aa33467c7b03
SHA256d6bbf9143334c9a44c8f2579305624d7256497df30ae3b478b399d2ec708e990
SHA512b5f45751facac811bd54efb6fdfdf2823ca427b3a11c319471d3987628272847745ba263eb348aca9ab7d6760f83ee12c9c08b13e28ea75465997dfecbc877bd
-
Filesize
22KB
MD5448e602901448c8fccdfb092ea055387
SHA152e10449d4051acf3764ef141159348cecaf647d
SHA25604da4f63ff3cdfbabedef846c5b59b84de5283a7e1f4e865367608424a69cdea
SHA5127cddb905baeeae5ed70a30b6c789e456d09d15ce38bfd497a6556b4f049ddfacf9d5253e83f1704301e602cc637cdd6193456c56ed946dea45dc7bdf5661a988
-
Filesize
23KB
MD578f53f52519bb11b06d2af4366c2a6e6
SHA102066e1e421554b9061458c44600305221bdbcae
SHA256f8a3ec3c96a59ac0e49b168d8c46df386e5f691e45ac8f2103f43b20b7a4d410
SHA5125f660a203c474d13ae6ae1d20c75831bfccd6d91b9c094b2806d025a6cb94ae2c87ee3109bfb24d21fb6ce19af6554e589933060291693260fb9399afbefbfa8
-
Filesize
25KB
MD53ed87e5d6fc95717559f392c09ebf83c
SHA113955f94826c27abc82d96f69ecd0b0c88350350
SHA2564df3c609c77269f07632190211e270f11598bd3eb16086e65c2ebd4784b5b1ba
SHA51257fdb1dece85ce71548ef1f0352abc379eb0e895cc43acc823ff4c70d9fc227e7eb10f3e67137130776c013a2a540f16e5a4b49210bd2ec4325d1aff0a740169
-
Filesize
982B
MD5a972e2736bd078d9660bdeea83d8de8d
SHA184136f1ffc815dff6990c8bfc1e57f0433ac156b
SHA256633ed32b380996511847cf66a4bec392f003333b82e7cc2929330194cc4e2e5c
SHA512cae6bda73c3fbbe9b08895986a4d3f4f786463f92c9dcbc3b94dcad0fe4c55b86bbaa649a005c7b20254cafb7fd1f57f2dc2ae15bedea57764c16eea4737dc5c
-
Filesize
659B
MD5fd383d361ee4792b6eee944058738206
SHA141c750efb3ac854614d3e725f0ea7475c8289f9a
SHA25645915ee1c62d4a9b17897cb634a2b55c731407e77025b2efc6d69fe67e8dadd8
SHA512499e9a5046636b8e5f4c387cec0901beef4f99989c0b1f845e89824c194a6cc08da651060f33d3709f3538fd360c3b480b241b15d9002bdf8e03c195dc1668b8
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD546331e75ff7ae14f28a1a91bdc99ad52
SHA18509c3d185c0718544b5e503ed8475b929495374
SHA25613a83ae4533159cdb3efd0e9f79f8d12b6663e895860ede122a323619e3716d1
SHA5126bfbbb883cb2a0a43d1b5009bd5857204e73c2064caf47a2eff82a058188702caf581afb2e63e4da85960891abc1c961e2ec365ad759a76ef57da9475e5158c0
-
Filesize
13KB
MD54ffacca58de9d2991df8b95843f6087d
SHA159f34eb2c147710972ecb15be6d3ef9293b7f777
SHA256044f5fabf7c05df3e24ada4d659eb4ec7ae1dbddb94d1d71cc85292519d84e4d
SHA5128bf7b4f7e7620583c16f0e263564c1d51cd8c42c759da0b684d3cac47d01787836c5bc29d61580e17c805011c211ab1a702e8f614ae910a66f8fd21fd5f19f5d
-
Filesize
16KB
MD56bd429d9899dd5cfa6b98328d4bc5877
SHA18d1b0d841e746df6dbff0e6a3ad3a3d1106375ef
SHA256df2fa07276f77e846965e5b5b93efd15cad7cba625df1790a6c3184ef9985462
SHA512da6e1929fc6a43f6d85eb9595a4acc2a9befc8ec7fe11b5780541c8f7b2cccddd6350149752a18454b12ef76145db23d6a7d871fd328e03295a79bb1c396b0cd
-
Filesize
11KB
MD5cf8e66902b7a395669105a46a8d11b69
SHA14a396ff87357a3a1c0bc74b35c5b3cf5389a25eb
SHA256ed57c8262e3b0db1741b55525b39e1d1b4bef65dbabdd385d83829a71f0bd715
SHA512ff6a6f3ea9307eb1a8e55abfd79595ca60d76b0e38e40abc11160c797220bcf753b0ab343e4d8c1eb14e991582ac93210d7cd741fc37bde9a56086f1b0d9a0c9
-
Filesize
11KB
MD548c0d14c269acd7327d481067b87e7f5
SHA1e003baf16540972e47cd8f0a161ecfcf66dd0c38
SHA256e22da76bb623044b5f94b2ab87233b1e8ac97714cec2ab49ba60916c9535ce67
SHA5128f0f2baa8da3805d279cec8913206f83c7850f93ae88342b4d58974cf75312998f327cf4aa4adaaa4bcf1f6e1291f7d4a63be6c2a28d442da6a983ea9751fdcd
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
11.9MB
-
Filesize
11.9MB
-
Filesize
4.7MB
-
Filesize
4.7MB