Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2024 04:01
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20241010-en
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
b58725b0a514974aae36a20730adc4b3
-
SHA1
a99eb4395fc9a95cad952a7d4bd444fb3baa9103
-
SHA256
a64238bb65c406ec9ef9267f96de8b2ff4a2dc1998859970f2b7399aed50db76
-
SHA512
21ed4926463abff571fa30161607cfc58ef2106683295830764a6008d9e6c1228271966c951c030b13db295217b7f568797ebf74fb02a4ed86d198a34d9b7a29
-
SSDEEP
49152:ugpWvpPq4PRzgbjv65CIjyoNaA1bKGfBMK:usWvzgbkaA1TSK
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Signatures
-
Amadey family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2a03c3811a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2a03c3811a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2a03c3811a.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation axplong.exe -
Executes dropped EXE 5 IoCs
pid Process 4012 axplong.exe 4432 2a03c3811a.exe 1912 a8d13bf5c0.exe 436 axplong.exe 3948 axplong.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 2a03c3811a.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine axplong.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2a03c3811a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1002741001\\2a03c3811a.exe" axplong.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a8d13bf5c0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1002742001\\a8d13bf5c0.exe" axplong.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000c000000023b0d-44.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1484 file.exe 4012 axplong.exe 4432 2a03c3811a.exe 436 axplong.exe 3948 axplong.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\axplong.job file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2a03c3811a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8d13bf5c0.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 2468 taskkill.exe 3944 taskkill.exe 1176 taskkill.exe 2480 taskkill.exe 3080 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1484 file.exe 1484 file.exe 4012 axplong.exe 4012 axplong.exe 4432 2a03c3811a.exe 4432 2a03c3811a.exe 1912 a8d13bf5c0.exe 1912 a8d13bf5c0.exe 1912 a8d13bf5c0.exe 1912 a8d13bf5c0.exe 436 axplong.exe 436 axplong.exe 3948 axplong.exe 3948 axplong.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 2468 taskkill.exe Token: SeDebugPrivilege 3944 taskkill.exe Token: SeDebugPrivilege 1176 taskkill.exe Token: SeDebugPrivilege 2480 taskkill.exe Token: SeDebugPrivilege 3080 taskkill.exe Token: SeDebugPrivilege 4272 firefox.exe Token: SeDebugPrivilege 4272 firefox.exe Token: SeDebugPrivilege 4272 firefox.exe Token: SeDebugPrivilege 4272 firefox.exe Token: SeDebugPrivilege 4272 firefox.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 1484 file.exe 1912 a8d13bf5c0.exe 1912 a8d13bf5c0.exe 1912 a8d13bf5c0.exe 1912 a8d13bf5c0.exe 1912 a8d13bf5c0.exe 1912 a8d13bf5c0.exe 1912 a8d13bf5c0.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 1912 a8d13bf5c0.exe 1912 a8d13bf5c0.exe 1912 a8d13bf5c0.exe 1912 a8d13bf5c0.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 1912 a8d13bf5c0.exe 1912 a8d13bf5c0.exe 1912 a8d13bf5c0.exe 1912 a8d13bf5c0.exe 1912 a8d13bf5c0.exe 1912 a8d13bf5c0.exe 1912 a8d13bf5c0.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 4272 firefox.exe 1912 a8d13bf5c0.exe 1912 a8d13bf5c0.exe 1912 a8d13bf5c0.exe 1912 a8d13bf5c0.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4272 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1484 wrote to memory of 4012 1484 file.exe 86 PID 1484 wrote to memory of 4012 1484 file.exe 86 PID 1484 wrote to memory of 4012 1484 file.exe 86 PID 4012 wrote to memory of 4432 4012 axplong.exe 89 PID 4012 wrote to memory of 4432 4012 axplong.exe 89 PID 4012 wrote to memory of 4432 4012 axplong.exe 89 PID 4012 wrote to memory of 1912 4012 axplong.exe 91 PID 4012 wrote to memory of 1912 4012 axplong.exe 91 PID 4012 wrote to memory of 1912 4012 axplong.exe 91 PID 1912 wrote to memory of 2468 1912 a8d13bf5c0.exe 93 PID 1912 wrote to memory of 2468 1912 a8d13bf5c0.exe 93 PID 1912 wrote to memory of 2468 1912 a8d13bf5c0.exe 93 PID 1912 wrote to memory of 3944 1912 a8d13bf5c0.exe 96 PID 1912 wrote to memory of 3944 1912 a8d13bf5c0.exe 96 PID 1912 wrote to memory of 3944 1912 a8d13bf5c0.exe 96 PID 1912 wrote to memory of 1176 1912 a8d13bf5c0.exe 98 PID 1912 wrote to memory of 1176 1912 a8d13bf5c0.exe 98 PID 1912 wrote to memory of 1176 1912 a8d13bf5c0.exe 98 PID 1912 wrote to memory of 2480 1912 a8d13bf5c0.exe 101 PID 1912 wrote to memory of 2480 1912 a8d13bf5c0.exe 101 PID 1912 wrote to memory of 2480 1912 a8d13bf5c0.exe 101 PID 1912 wrote to memory of 3080 1912 a8d13bf5c0.exe 104 PID 1912 wrote to memory of 3080 1912 a8d13bf5c0.exe 104 PID 1912 wrote to memory of 3080 1912 a8d13bf5c0.exe 104 PID 1912 wrote to memory of 4344 1912 a8d13bf5c0.exe 106 PID 1912 wrote to memory of 4344 1912 a8d13bf5c0.exe 106 PID 4344 wrote to memory of 4272 4344 firefox.exe 107 PID 4344 wrote to memory of 4272 4344 firefox.exe 107 PID 4344 wrote to memory of 4272 4344 firefox.exe 107 PID 4344 wrote to memory of 4272 4344 firefox.exe 107 PID 4344 wrote to memory of 4272 4344 firefox.exe 107 PID 4344 wrote to memory of 4272 4344 firefox.exe 107 PID 4344 wrote to memory of 4272 4344 firefox.exe 107 PID 4344 wrote to memory of 4272 4344 firefox.exe 107 PID 4344 wrote to memory of 4272 4344 firefox.exe 107 PID 4344 wrote to memory of 4272 4344 firefox.exe 107 PID 4344 wrote to memory of 4272 4344 firefox.exe 107 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 PID 4272 wrote to memory of 1480 4272 firefox.exe 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Users\Admin\AppData\Local\Temp\1002741001\2a03c3811a.exe"C:\Users\Admin\AppData\Local\Temp\1002741001\2a03c3811a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4432
-
-
C:\Users\Admin\AppData\Local\Temp\1002742001\a8d13bf5c0.exe"C:\Users\Admin\AppData\Local\Temp\1002742001\a8d13bf5c0.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1176
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3080
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8e5ac39-e430-438d-81ce-3dcc4db73135} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" gpu6⤵PID:1480
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2416 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {956843ba-ac72-4fb6-9a5f-71c50e52add2} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" socket6⤵PID:2344
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3056 -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 3064 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {543bb934-7623-4cc1-8c79-1dd1eec0613a} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" tab6⤵PID:2652
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3852 -childID 2 -isForBrowser -prefsHandle 3752 -prefMapHandle 2756 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d77cd0e-ced6-4bb9-a146-6ef751bfb63e} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" tab6⤵PID:3156
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4644 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4672 -prefMapHandle 4668 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53cd8531-df0d-4ddf-85aa-7837a459a078} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" utility6⤵
- Checks processor information in registry
PID:2392
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5304 -childID 3 -isForBrowser -prefsHandle 5188 -prefMapHandle 5300 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0686bc6e-1d03-48a6-a3e6-40c39f1d9d66} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" tab6⤵PID:5828
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 4 -isForBrowser -prefsHandle 5440 -prefMapHandle 5444 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a8015e0-58a3-4e2a-87f5-7f5a756bb339} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" tab6⤵PID:5840
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 5 -isForBrowser -prefsHandle 5724 -prefMapHandle 5720 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd5a30fc-2741-45b8-90b3-232951996b97} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" tab6⤵PID:5856
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:436
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\activity-stream.discovery_stream.json
Filesize24KB
MD51b9bde747c53fbde24cfb55a3731b37d
SHA16bcf37e8b0acd2ba018788934b041570bb381d3d
SHA256cf3153bd59e9968662ac28e409159aa6d4754c4d7aa0bcb5ac1d9085e000a962
SHA5129bb9650ad07885a7ffbf7c18e3649564bfeb8f4df3a18cd7c8e5e910bdc80b32dd6cbdd2c2edcfcc8627a1ab52701054ac62b09ec815d389657c9a0ac0b2a729
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
Filesize13KB
MD5fd062c4825cf390974d386cfcf0b5953
SHA1ba9079edcf02db4222fa2bba9ebab92bc1029a6d
SHA25634dd533976bb8fc61f4270ca5aa9435bfad7b9f12a6f3fb26508310abdfcce36
SHA512eb1695554fe64f7dfdbbb3615b450f9fee6eb0989b118f37e312b94cdefa46622284620709ec84fea8f3212dd727fa7335cc3d37bd9db0656e17cdcdd3c35511
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
Filesize13KB
MD5b1c2389d92097c5ce1e750d992915e67
SHA148ac63b5a88fba3c4dd980f195aa256786022fc7
SHA2566c0be5ac0baf419fb29500da8a63beb6f550943ea43a534ff7d30aa0b7fef38d
SHA5124c51cda02890be115cd7870c327da58affb96ee8dd2054823cf549bc4d9dbbe7deee2a9401c509f1b9be52bbf0566f62da10363d7042afe91de440b11f701cf8
-
Filesize
1.7MB
MD559b3273d9d5c8f80b5cfe9e160188073
SHA13dfe989cba1316ed1a4e82b8bf9e73301749e559
SHA256101e5dd7863cc4cc10c084d7468f2bd81a77323f9fb49b4b5ebd6077a5552ba8
SHA5127a5b0b3e6f368a8e34abbb9059d0399937373eccac17de9cbd9e911833ed48d369e97fc3fbf02ba73d66661a2b50926f0630f9923f679f771ca968506da1b128
-
Filesize
898KB
MD5530c8d510535e62fd422303538b7dcf4
SHA16287ff30b41766ae4a5a78541581ed683bba7a30
SHA256ebac1e80d8da8f131c6264728c4e1b47091619499ea5f5cbb415736f4135aa95
SHA51251d6e4edf9c38901b966feaa8e5e4c73662b95047f19c77d2640b3a7db83c18f74b09cdc5a025ea5a45b9fd58cf61d343f55945f77b0c1382baf4d94f9e255a6
-
Filesize
1.8MB
MD5b58725b0a514974aae36a20730adc4b3
SHA1a99eb4395fc9a95cad952a7d4bd444fb3baa9103
SHA256a64238bb65c406ec9ef9267f96de8b2ff4a2dc1998859970f2b7399aed50db76
SHA51221ed4926463abff571fa30161607cfc58ef2106683295830764a6008d9e6c1228271966c951c030b13db295217b7f568797ebf74fb02a4ed86d198a34d9b7a29
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize8KB
MD54b339d2d3391a7b92084eda2c1992ae0
SHA193ac4f151f7a4bc8a79e5811e0a5b80e71109f65
SHA2564b27c91b67cda95c389cdd4cb06fab23cee2e98a0fbe7f7a346575f9e021ea63
SHA512face01c58f1e7a95ae2211c54ba0b82d0f497e0087da2c118db7f723287fb54e876d42c3aa3036bbcfcf2fc7087a7472719ab5eba1571671317a0a5fd25fad81
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize13KB
MD566da15cea486e2c6f1ceada62518f551
SHA16d26568553b5ef22f2ef6d3a36dfff9d1f900937
SHA2563f91699106841895febb551d2838443cd71db3334a3801632fa2926dfa4aeac7
SHA512cab0e3cd5baca029d971dcdce014dc9193446a754ddb5a3a6d442b58ad132dcdaa97f78a3add7afb7926cf6e90d0f38bc7a60ac2e51e971b8f5fb232449f7dbb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5e260e40350e20bf6bd46d3b58374b7c5
SHA15a5b30a3c5d8f16b84fea708cabea9d935677bc1
SHA25689044ab51bb140e0b4ef4cdf39f9ca6037058890b7742e753e9fef7117f03879
SHA512be14b702f83d1cb12a9e95c911a467d0518cb60652332e05e42bf8287a471895cb5ec0cbe0892069fc552457e236d421df6a0e75ae732e0d076a4216f9a6457e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD59bc94ac7a6c247c84b48ca1cd6b2f083
SHA1ca230840a8cb091806211d1c409dcaa00e7484a0
SHA256c4f696f4aede3310ff100ce2702b33611ec52750d2e46e4e6f714a1b9d142407
SHA512ae1b41e8fb8fe2b506e138e1a972a913d7bcd0331f6bd0a78327480ce719a8b113a6288582a8d95caae199eef114a39607b9769261ae204009cd3a77d7ab2fb5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5c011add4549648604707585b133595cd
SHA12135533534048758040282c8893cf8bae895fb23
SHA256108d1794996b51b039906e322ce63435da99d1fbb5286ab232e6200d11a89a96
SHA51254d8ec9c96378e15ef513166978de1b5abed16682f8e3856bb8e35347b901b77425979afe7c26aaa51f15ed1ac8063e30a30a3ed1c915d57e36015cf36044e2f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5f1058ed1078d3379d1555e1be5be2ce0
SHA1da3b0e35e167dcafeb62ab61f58b1761e792a1fc
SHA256c40779b54ed64344a8954ce1845b991ca477a1f56a86531ad6f76c9190409ea9
SHA512a9151d1b3d2240358a357ee91e70cab98cbd8c47eb2a1f317cbfcacb6ddcfa59e9db502ec834f921974ee8a92e3773c4b35aef13fe77048fad39fab90d2eed4e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5d8a1a0e881a2876910347881e05b976f
SHA187112afeffdbe20eb75f87c08378484f6af05867
SHA2569ba2d7637d41f2a5edd4c3085374677b771356d6d91e38f08af3dd5a8b7a2a83
SHA512df33435395b81250476b2bcadb2f81241ce9f67a70e47d867463d496904c8d8e9b915df33e4165504b38336dfcd7342cbaff2ad2ec4126384105c377140965f0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\61c8b8f8-1496-4eeb-8057-059343b029ad
Filesize982B
MD5b06c63fd8e3841b0fba0164dc9b15af6
SHA17ce1c0d0a7db8673e68e0f6dff5ae41479dee0ab
SHA256ebe10d5d034ae3a7a67f53c54113e712ce0efec4b9a4c10d85bff829224f6947
SHA51251d38daf69aeb31cb924ff56d4aced69a046c3c90d75f15c57d052395a3c2089490142a52e901cc0e9bee3464ee324d7ad394976e96f0628f5a483e3e9ea1805
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\787950d7-21b2-4ffd-a8c1-1a061682bf0b
Filesize671B
MD5cdf974b0b1badc16a0351a077c22683c
SHA17d877d5d132ba2b8115e45e97063947a9d352cff
SHA25657ac685dd366639b6c7fd6999bd8419f6e61bb69f57327b0e319e9586878e9c7
SHA51233a6b574a2d2a6f4de0742fdc9ec3043711f1208f683847b16db832543bc5980af03fffbf5c9af05b3945bbf190a51b8e395ed1ee873f69c0ff455ae15adc576
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\f4d4e98f-c572-4535-aafc-3ccfa7ab97d7
Filesize26KB
MD5496439312f7a98d5cbfc11fa1659db3c
SHA1e8e77e3d2e24641d06b707a8de846b632b6ea53d
SHA25686fe64a8cd233bc9b26636478bd76ec9103781dd69b390d1f9f7cc06eab1bf0a
SHA512fd0bc99ef7b117dd8796674e14305a2906aee0bdf7810391057e447a411ab5b0c97750e96f968cdab0b44a1ecb44d0b7d2bcdd997eed6abd42c1fd53992aa6e8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD56e622ef1d925e7ab9a93e60c443d6cc5
SHA13e05e1427c17017dffb74d189ead1f55112b9517
SHA2562397262dc55a4fb8954f3d2a11f65ab7950e4c58385a721d2d8f3a09d1c04b4d
SHA512cf1ac3e2642c1d8cdb00e2774a8c8102d697bde8f301727ab401c160169b598da7e698d01fe1da4c235fde07a6e2f1cb6637cedf2740401ed1e38984fa2b0203
-
Filesize
15KB
MD5f62c283ccfe700443d52b62370c6a866
SHA1a9c7b1deb23cd0dff11538c7b1ad6186a95a5156
SHA256d9863f3fdbc89f9d273dd570afd4f7708cb143c399c60381898934b216accdb2
SHA512e21a1ec1eecd03a36e0958e95df76d41a71ee713a6cbee748e95a5fa799d95f9a0f5920b21742294b8d86937d8a595bcad7aa08dc77a7c3c988686a336e941f7
-
Filesize
10KB
MD59c2c0db23be50c0b25a43a3509676b6a
SHA10c891747bfa2cc4b3d5d2526df125e10d83a1029
SHA2562eccb5a7ce9671814ce9eb944d9f93eacf3418d3bc524d23497d3903f4edef70
SHA512d4f7f7a02145d3e79b0bb115c0a467519368188f783cc5f8b9839327af4161191a0304d31574ad652eecb3905919f8328fb7830e29da617365639b6bdb0750dd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.8MB
MD5481fc4e3fee6436632784bd98ad9b4a1
SHA18d43c3dc3bf6cac6f8162888a00a86ccb000b24c
SHA256ad48024487b0184ee01babd406fdd88b13abe00f7b6d7f0bc909894b69a46d6c
SHA512da79cd2eb2b59aa703a58f79241fb615d70b4c918ff6ba1b99202551e56f68cee79a08cfe52999bccd266071ec2988df9c6889e9498fd7e87e7aec1d0de1de55