amadey | 4dff851bc8eef01f9edc43742ace87e10d2dfd4461f180635b842f180b8beac7

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4dff851bc8eef01f9edc43742ace87e10d2dfd4461f180635b842f180b8beac7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4dff851bc8eef01f9edc43742ace87e10d2dfd4461f180635b842f180b8beac7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4dff851bc8eef01f9edc43742ace87e10d2dfd4461f180635b842f180b8beac7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	4dff851bc8eef01f9edc43742ace87e10d2dfd4461f180635b842f180b8beac7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	neon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	neon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	neon.exe

Executes dropped EXE 7 IoCs

pid	Process
3340	axplong.exe
2728	axplong.exe
2196	neon.exe
5996	neon.exe
5944	neon.exe
5180	neon.exe
5272	axplong.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine	4dff851bc8eef01f9edc43742ace87e10d2dfd4461f180635b842f180b8beac7.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine	axplong.exe

Loads dropped DLL 2 IoCs

pid	Process
208	taskmgr.exe
208	taskmgr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neon = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\neon.exe"	reg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4304	4dff851bc8eef01f9edc43742ace87e10d2dfd4461f180635b842f180b8beac7.exe
3340	axplong.exe
2728	axplong.exe
5272	axplong.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2196 set thread context of 2876	2196	neon.exe	107

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	4dff851bc8eef01f9edc43742ace87e10d2dfd4461f180635b842f180b8beac7.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4dff851bc8eef01f9edc43742ace87e10d2dfd4461f180635b842f180b8beac7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neon.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3424	cmd.exe
4528	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{9D392F91-6637-4C62-8C52-C45872038C8C}	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4528	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4304	4dff851bc8eef01f9edc43742ace87e10d2dfd4461f180635b842f180b8beac7.exe
4304	4dff851bc8eef01f9edc43742ace87e10d2dfd4461f180635b842f180b8beac7.exe
208	taskmgr.exe
208	taskmgr.exe
3340	axplong.exe
3340	axplong.exe
208	taskmgr.exe
208	taskmgr.exe
2728	axplong.exe
2728	axplong.exe
208	taskmgr.exe
208	taskmgr.exe
2196	neon.exe
2196	neon.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
1124	msedge.exe
1124	msedge.exe
208	taskmgr.exe
208	taskmgr.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
208	taskmgr.exe
208	taskmgr.exe
2196	neon.exe
2196	neon.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
652	msedge.exe
652	msedge.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
5452	identity_helper.exe
5452	identity_helper.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
208	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	208	taskmgr.exe
Token: SeSystemProfilePrivilege	208	taskmgr.exe
Token: SeCreateGlobalPrivilege	208	taskmgr.exe
Token: SeDebugPrivilege	2196	neon.exe
Token: SeDebugPrivilege	5996	neon.exe
Token: SeDebugPrivilege	5944	neon.exe
Token: SeDebugPrivilege	5180	neon.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4304	4dff851bc8eef01f9edc43742ace87e10d2dfd4461f180635b842f180b8beac7.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
208	taskmgr.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
208	taskmgr.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe
208	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 3340	4304	4dff851bc8eef01f9edc43742ace87e10d2dfd4461f180635b842f180b8beac7.exe	83
PID 4304 wrote to memory of 3340	4304	4dff851bc8eef01f9edc43742ace87e10d2dfd4461f180635b842f180b8beac7.exe	83
PID 4304 wrote to memory of 3340	4304	4dff851bc8eef01f9edc43742ace87e10d2dfd4461f180635b842f180b8beac7.exe	83
PID 3340 wrote to memory of 2196	3340	axplong.exe	86
PID 3340 wrote to memory of 2196	3340	axplong.exe	86
PID 2676 wrote to memory of 1948	2676	msedge.exe	94
PID 2676 wrote to memory of 1948	2676	msedge.exe	94
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1096	2676	msedge.exe	96
PID 2676 wrote to memory of 1124	2676	msedge.exe	97
PID 2676 wrote to memory of 1124	2676	msedge.exe	97
PID 2676 wrote to memory of 628	2676	msedge.exe	98
PID 2676 wrote to memory of 628	2676	msedge.exe	98
PID 2676 wrote to memory of 628	2676	msedge.exe	98
PID 2676 wrote to memory of 628	2676	msedge.exe	98
PID 2676 wrote to memory of 628	2676	msedge.exe	98
PID 2676 wrote to memory of 628	2676	msedge.exe	98
PID 2676 wrote to memory of 628	2676	msedge.exe	98
PID 2676 wrote to memory of 628	2676	msedge.exe	98
PID 2676 wrote to memory of 628	2676	msedge.exe	98
PID 2676 wrote to memory of 628	2676	msedge.exe	98
PID 2676 wrote to memory of 628	2676	msedge.exe	98
PID 2676 wrote to memory of 628	2676	msedge.exe	98
PID 2676 wrote to memory of 628	2676	msedge.exe	98
PID 2676 wrote to memory of 628	2676	msedge.exe	98
PID 2676 wrote to memory of 628	2676	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\4dff851bc8eef01f9edc43742ace87e10d2dfd4461f180635b842f180b8beac7.exe
"C:\Users\Admin\AppData\Local\Temp\4dff851bc8eef01f9edc43742ace87e10d2dfd4461f180635b842f180b8beac7.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe
    "C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 6 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "neon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\neon.exe"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:3424
    - - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 6
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4528
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "neon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\neon.exe"
        5⤵
        Adds Run key to start application
        
        PID:5212
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\neon.exe
      "C:\Users\Admin\AppData\Local\Temp\neon.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5996
    - - C:\Users\Admin\AppData\Local\Temp\neon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\neon.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5944
      - C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5180
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:5788

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:208

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.bing.com/search?q=neon.exe OCCT"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffef7ce46f8,0x7ffef7ce4708,0x7ffef7ce4718
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,2648902727476566679,10682640133899269091,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:2
  2⤵
  PID:1096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,2648902727476566679,10682640133899269091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,2648902727476566679,10682640133899269091,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,2648902727476566679,10682640133899269091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,2648902727476566679,10682640133899269091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,2648902727476566679,10682640133899269091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1984,2648902727476566679,10682640133899269091,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3868 /prefetch:8
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1984,2648902727476566679,10682640133899269091,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,2648902727476566679,10682640133899269091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,2648902727476566679,10682640133899269091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,2648902727476566679,10682640133899269091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,2648902727476566679,10682640133899269091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,2648902727476566679,10682640133899269091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,2648902727476566679,10682640133899269091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,2648902727476566679,10682640133899269091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:5224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion