0e6d59fcdf8f143e23b076cc8380d6d23324839ae4f91793133b600e7eb76eb9

Analysis

max time kernel
63s
max time network
65s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xenos64.exe
Size

1.3MB
MD5

6f0dd4150efddfc20b70401479964211
SHA1

e97c802a8013b13fb91a831b779ade7c3ca6870b
SHA256

0e6d59fcdf8f143e23b076cc8380d6d23324839ae4f91793133b600e7eb76eb9
SHA512

d8e823876507cd10b8c176e502c99bb80d52742eaa7c0e319b2a5c1f605de962505bf09950418a461fde427db34a59dbb67cbb4a6045f44d243c77945aebd0fb
SSDEEP

24576:uLGfO4noYBPtVY3HPou37urInN48pGrnofSVgPCS3tMrMyj3F9hIF1SqY5cbaF:uLGfKY5tVY3gur9N4p0SVE3tMx3FE1Sr

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	Xenos64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Xenos64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1"	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xpr64\ = "XenosProfile64"	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Xenos64.exe,-135"	Xenos64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	Xenos64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Run\command	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\0	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\0\MRUListEx = 00000000ffffffff	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\0 = 98003100000000008f57915b110050524f4752417e320000800009000400efbe874fdb498f57915b2e000000c3040000000001000000000000000000560000000000dd682f01500072006f006700720061006d002000460069006c0065007300200028007800380036002900000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003700000018000000	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\0\NodeSlot = "6"	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\0\0 = 6c003100000000008f572a5c1000494e5445524e7e310000540009000400efbe874fdb498f572a5c2e000000dc0400000000010000000000000000000000000000006571ec0049006e007400650072006e006500740020004500780070006c006f00720065007200000018000000	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Edit\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Xenos64.exe --load %1"	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\MRUListEx = 00000000ffffffff	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Edit	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3 = 19002f433a5c000000000000000000000000000000000000000000	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Xenos64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4584	Xenos64.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4584	Xenos64.exe
Token: SeLoadDriverPrivilege	4584	Xenos64.exe
Token: SeDebugPrivilege	4984	firefox.exe
Token: SeDebugPrivilege	4984	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4984	firefox.exe
4984	firefox.exe
4984	firefox.exe
4984	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4984	firefox.exe
4984	firefox.exe
4984	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4584	Xenos64.exe
4584	Xenos64.exe
4584	Xenos64.exe
4984	firefox.exe
4584	Xenos64.exe
4584	Xenos64.exe
4584	Xenos64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 4984	5000	firefox.exe	96
PID 5000 wrote to memory of 4984	5000	firefox.exe	96
PID 5000 wrote to memory of 4984	5000	firefox.exe	96
PID 5000 wrote to memory of 4984	5000	firefox.exe	96
PID 5000 wrote to memory of 4984	5000	firefox.exe	96
PID 5000 wrote to memory of 4984	5000	firefox.exe	96
PID 5000 wrote to memory of 4984	5000	firefox.exe	96
PID 5000 wrote to memory of 4984	5000	firefox.exe	96
PID 5000 wrote to memory of 4984	5000	firefox.exe	96
PID 5000 wrote to memory of 4984	5000	firefox.exe	96
PID 5000 wrote to memory of 4984	5000	firefox.exe	96
PID 4984 wrote to memory of 4136	4984	firefox.exe	97
PID 4984 wrote to memory of 4136	4984	firefox.exe	97
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3628	4984	firefox.exe	98
PID 4984 wrote to memory of 3432	4984	firefox.exe	99
PID 4984 wrote to memory of 3432	4984	firefox.exe	99
PID 4984 wrote to memory of 3432	4984	firefox.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Xenos64.exe
"C:\Users\Admin\AppData\Local\Temp\Xenos64.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4584

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.0.1941486631\2104803717" -parentBuildID 20221007134813 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7e77ef6-a174-4406-9d4c-8cea1b4fe114} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 1980 17f2fe05a58 gpu
    3⤵
    PID:4136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.1.472754623\1845171996" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2360 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a63c432-e832-441e-ac60-9ef9e8485529} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 2380 17f22472b58 socket
    3⤵
    PID:3628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.2.1649680274\240098105" -childID 1 -isForBrowser -prefsHandle 3100 -prefMapHandle 2848 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01adc217-3088-44c6-93be-c41039783eac} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 3236 17f2ec5a758 tab
    3⤵
    PID:3432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.3.73768905\1388552860" -childID 2 -isForBrowser -prefsHandle 3436 -prefMapHandle 3496 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ee099f5-da51-42e9-bac2-3c289f393b14} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 3632 17f2245b558 tab
    3⤵
    PID:992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.4.1271039932\1779475244" -childID 3 -isForBrowser -prefsHandle 4028 -prefMapHandle 4024 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f23d825-e112-45a2-a596-42ee1f71fcec} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 4044 17f34578e58 tab
    3⤵
    PID:604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.5.829071480\1116539540" -childID 4 -isForBrowser -prefsHandle 5056 -prefMapHandle 5076 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dd7acd9-0978-4a8b-9ec4-a8c2fbd38217} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 4832 17f32b7af58 tab
    3⤵
    PID:2780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.6.1761798643\1700700457" -childID 5 -isForBrowser -prefsHandle 5212 -prefMapHandle 5216 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a761a24-64f1-4d64-a8f0-24bea1dedee9} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 5204 17f32b78b58 tab
    3⤵
    PID:660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4984.7.1703835711\1026506298" -childID 6 -isForBrowser -prefsHandle 5420 -prefMapHandle 5424 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b316b1d-abe8-4fb6-8e6a-678cd3ccbe85} 4984 "\\.\pipe\gecko-crash-server-pipe.4984" 5188 17f32b78558 tab
    3⤵
    PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
2805087310e6e671af9e48c1e32cf6db

SHA1
420d522f99e20928e161a0ce9eb626a2a75847d0

SHA256
c3c292b13b601ad4ac59b1b799df51a1816329c6bdae29aac95193e50d0c3f52

SHA512
c947aac456a5a46aa6a5c63d6aa91c07b3a70e2d0284cc693d7be623682adc0b9da69d221b007368b17c1bb1a534bc713af8e60cd1e720c18dfbd9438c89a6da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\datareporting\glean\pending_pings\3c7af83a-ef59-479e-b42a-6c499d31721b

Filesize
746B

MD5
03ed089252103c4fef0e8370111604d2

SHA1
aa68b06a93219f658732004c0243e9066861861b

SHA256
e05f58344ee9861302ed95be5fe1a1bdd424c2c6f7c9a6132d689284abff920f

SHA512
e1ec1fdc1457f080bd548043ebc5b3130cec9f3e0668b00fee61b1572f48ef320e25838ad58f9115cbae559970e487e51546e3c459bdbe629c9eb7d1df1bd04d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\datareporting\glean\pending_pings\986f8da5-de1f-4dc5-a667-9a757ff4dc86

Filesize
11KB

MD5
9c2a279f54d2ebf272086b78a6e34f25

SHA1
7c12fd966cae186f1a633f03c34c0aed5d866da3

SHA256
5795cf792d2770b203a95531cce3d50c5b4290fbd357925f0ddbddd16cae207e

SHA512
e67dd2721978f496f62eb76cf3febb810b403418384bb3eea98cd4e8de3d44a81c7917c6982c5a42f0a8f5ce0c43fe8811f2200087a0b3328af68b4c339975c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\prefs-1.js

Filesize
6KB

MD5
b3aa67550ad5f796b04f75d9b013f3b5

SHA1
f812552204a847182b5351745ffefe724078750f

SHA256
c2c5495a5c7d5fd50caeb02a95913ce8a6978183742b0c99057f3c6d99829d83

SHA512
ee944d7b3d6c652cbeba99b01d87df71e003f5e5152d829b3ad9bb69f64bc0ec59baca96c72c89b18a28e6b8f119b5135232f0c862ec7305ea7db3a5daeaef26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\prefs.js

Filesize
6KB

MD5
c51e0e74320865e83853de6b589cff83

SHA1
fa913872064e0c5c4e0396bcd7d84b999cecee54

SHA256
a4f294c72a098106e8cc437728e591887ff926ff3dccff32d01300f62ee0f183

SHA512
d6e79dc927f121bb7ba529e93fb0ca008151ed9de8e96cb6a7412c6028dc0ab1f89b00df9e408e0b1472a3d197403609f566bab350871357e8e7afcc0685e278

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\prefs.js

Filesize
6KB

MD5
0843bca93bd22d44437967ae3d27dd4d

SHA1
071de89122e5059a770caad3e15ac9ccd40e2a1d

SHA256
7f7eff2213f3f9ca7e8d2f6c06cf18a94be2d85c0d3d7e2b38872c441fb2c0df

SHA512
947dd0304669a768b2881229249e529a06c755c0c86b1b85e516ec537458e3d1db4b941b30a30d6378ace7530626b3bbee564b144bdb4fe6a18f9d4848e8a666

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
316fdbe453470af2b864ae089563fab0

SHA1
eb6b71ffd6fe8495c5095eb49142416f9652c945

SHA256
8d5df4c799734f4b6ad16a790f039b85d6d022594396c59ec193a0d438076b91

SHA512
8a0222f11aaee20b50ae33d66b59af1c0114290d5c1490ae2e9a598c11552415fc91eadff06e9aea27a0a9985376e8e4ab39c7fa116d3ad8bf913f67222edbe5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
feacfeaa6370d0dd460a0609e1e1435e

SHA1
1463da69f34d0efa56e61d9dd55ac1f435237b5b

SHA256
d57b87db93a487d521c52be8e0d599fcfb17e8012f6066c303f4e48e92c3f439

SHA512
61097d4419f67e7b364a5f0f3a248d801e0bbff2283ffce8cb89a5d43309145288c20ce1a6620217c81256db7da81de7d184a0c7eb769ea237902a5abbe5782b

Download Submit
memory/4584-10-0x0000000000050000-0x0000000000150000-memory.dmp

Filesize
1024KB

Download
memory/4584-11-0x00000000022D0000-0x00000000024C5000-memory.dmp

Filesize
2.0MB

Download
memory/4584-18-0x0000000000050000-0x0000000000150000-memory.dmp

Filesize
1024KB

Download