xenorat | b56aa51e6c3e6d8e4ed7a15a1480033741ee27d2e35957be742f9d799ad828f7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
02/04/2025, 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

112KB
MD5

ae4d2ce16c802796d3b052c98f380df0
SHA1

a2744daae12f133c6b6be3e366ac90947bbed748
SHA256

b56aa51e6c3e6d8e4ed7a15a1480033741ee27d2e35957be742f9d799ad828f7
SHA512

bfb5225d6411c913ec098ff70311302dfff76f52addb527e2790b8b766ada513af453bad0f5d3f8caa7993558fe7ebc7a2bb5ad33c5a5ad260dde6f039fe842f
SSDEEP

768:0dhO/poiiUcjlJInT7ElmH9Xqk5nWEZ5SbTDawuI7CPW5aZLKEe+eJaS:Ow+jjgnPElmH9XqcnW85SbT9uIyZzS

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

178.83.80.11

Mutex

WinStart

Attributes

delay
5000
install_path
appdata
port
4782
startup_name
WinStart

Signatures

Detect XenoRat Payload 8 IoCs

resource	yara_rule
behavioral1/memory/2880-1-0x0000000000E60000-0x0000000000E82000-memory.dmp	family_xenorat
behavioral1/files/0x0007000000028238-2.dat	family_xenorat
behavioral1/memory/5880-11-0x0000000006180000-0x000000000618A000-memory.dmp	family_xenorat
behavioral1/memory/5880-15-0x0000000008CD0000-0x0000000008CDA000-memory.dmp	family_xenorat
behavioral1/memory/5880-452-0x0000000001040000-0x0000000001048000-memory.dmp	family_xenorat
behavioral1/memory/5880-475-0x0000000001050000-0x000000000105C000-memory.dmp	family_xenorat
behavioral1/memory/5880-477-0x0000000001490000-0x00000000014A2000-memory.dmp	family_xenorat
behavioral1/memory/5880-480-0x00000000013D0000-0x00000000013DA000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 2 IoCs

pid	Process
5880	Client.exe
1480	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
908	schtasks.exe
4576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe
5880	Client.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	5880	Client.exe
Token: SeDebugPrivilege	2952	firefox.exe
Token: SeDebugPrivilege	2952	firefox.exe
Token: SeDebugPrivilege	5300	powershell.exe
Token: SeDebugPrivilege	1480	Client.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5880	Client.exe
2952	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 5880	2880	Client.exe	82
PID 2880 wrote to memory of 5880	2880	Client.exe	82
PID 2880 wrote to memory of 5880	2880	Client.exe	82
PID 5880 wrote to memory of 4576	5880	Client.exe	86
PID 5880 wrote to memory of 4576	5880	Client.exe	86
PID 5880 wrote to memory of 4576	5880	Client.exe	86
PID 5756 wrote to memory of 2952	5756	firefox.exe	103
PID 5756 wrote to memory of 2952	5756	firefox.exe	103
PID 5756 wrote to memory of 2952	5756	firefox.exe	103
PID 5756 wrote to memory of 2952	5756	firefox.exe	103
PID 5756 wrote to memory of 2952	5756	firefox.exe	103
PID 5756 wrote to memory of 2952	5756	firefox.exe	103
PID 5756 wrote to memory of 2952	5756	firefox.exe	103
PID 5756 wrote to memory of 2952	5756	firefox.exe	103
PID 5756 wrote to memory of 2952	5756	firefox.exe	103
PID 5756 wrote to memory of 2952	5756	firefox.exe	103
PID 5756 wrote to memory of 2952	5756	firefox.exe	103
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5436	2952	firefox.exe	104
PID 2952 wrote to memory of 5992	2952	firefox.exe	105
PID 2952 wrote to memory of 5992	2952	firefox.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Roaming\XenoManager\Client.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5880
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "WinStart" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8A10.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4576
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2616
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5300
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2868
- - C:\Users\Admin\AppData\Roaming\XenoManager\Client.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\Client.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1480
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "WinStart" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3DBB.tmp" /F
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:908

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5756
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1984 -prefsLen 27100 -prefMapHandle 1988 -prefMapSize 270279 -ipcHandle 2056 -initialChannelId {b575d04a-0fb5-4305-b568-555d6e951eb3} -parentPid 2952 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2952" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:5436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2416 -prefsLen 27136 -prefMapHandle 2420 -prefMapSize 270279 -ipcHandle 2440 -initialChannelId {d0c621d9-9569-4277-95a7-bbd42cdd27f4} -parentPid 2952 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2952" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    - Checks processor information in registry
    PID:5992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3848 -prefsLen 27277 -prefMapHandle 3852 -prefMapSize 270279 -jsInitHandle 3856 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3864 -initialChannelId {6dee0412-fbf4-4496-bd23-3c7a4e4758d8} -parentPid 2952 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2952" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:3120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4016 -prefsLen 27277 -prefMapHandle 4020 -prefMapSize 270279 -ipcHandle 4136 -initialChannelId {8e3af8ac-0277-419a-8568-d1bee26b8404} -parentPid 2952 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2952" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:2744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4596 -prefsLen 34776 -prefMapHandle 4600 -prefMapSize 270279 -jsInitHandle 4604 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4612 -initialChannelId {2b22cdff-1520-4947-91ca-15f2c7e4cc26} -parentPid 2952 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2952" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:1612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5156 -prefsLen 35092 -prefMapHandle 5160 -prefMapSize 270279 -ipcHandle 5168 -initialChannelId {52185e84-94c0-494f-8017-c5f3917a0138} -parentPid 2952 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2952" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:2480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5744 -prefsLen 33031 -prefMapHandle 5740 -prefMapSize 270279 -jsInitHandle 1640 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3340 -initialChannelId {f760246d-4400-45b6-8618-adf23aba656c} -parentPid 2952 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2952" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:5976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5820 -prefsLen 33031 -prefMapHandle 5812 -prefMapSize 270279 -jsInitHandle 5808 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5856 -initialChannelId {23daee66-8042-43c1-a268-d40484c7eb50} -parentPid 2952 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2952" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:5916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6084 -prefsLen 33031 -prefMapHandle 6088 -prefMapSize 270279 -jsInitHandle 6092 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6104 -initialChannelId {c7988766-5f92-4733-9ebf-715a71ee63eb} -parentPid 2952 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2952" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Client.exe.log

Filesize
226B

MD5
66aea5e724c4a224d092067c3381783b

SHA1
ee3cc64c4370a255391bdfeef2883d5b7a6e6230

SHA256
04b17cab961f973464bba8924f764edef6451d1774f2405d27ef33d164296923

SHA512
5d719e303f491d1443cb7c7e8946481e90532522a422c98f82466e1eddcd1ef24a4505dcbf75f2191fbb66825d3550566d7f408a3854edeb4c1a192c8c9a6d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0hvu0ry3.0ym.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A10.tmp

Filesize
1KB

MD5
e8866bed06a0b5155010fbbf77e2c1b6

SHA1
ac340e71878732fdb9baa7370e46e0d131b587ea

SHA256
1dd2854ea9bd999669c85d57a63402a9cd2879ad3c94b86981e9eb3251d87a2a

SHA512
1d702e5d9273af39aea0df3fcce0df4979f9c361d52673d7a0916c2b55765536596d8dc1aadb3c27d2e3a001c3a5269e7146fc44d20af11c08394932ff633990

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hnpwu3id.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
3b082bff5535936fc316e7d4dd6af047

SHA1
558d08ad6d806280b9daae7190fab4a835d05cb4

SHA256
4bf0c5372d176b9a2650883adce796675a217ff417707e6faa0c3246763bb64c

SHA512
dc9e53339af9d642980092f5e089c79ab56e00f5e61d29e0005122a5ed27c7160d46247a94b092bc626cf392bea2fdcb130041f3c9fe71c8a6b1d3076fd3030f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hnpwu3id.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
7a289ac99a9bba391f056c62a53045cd

SHA1
df7cf301f797a8f76440b759bc67faee7fe2ed04

SHA256
c0c5cced610f27c921d6a5a26ed86feac05aafa5711fef578ae7de7c567ac1b2

SHA512
254210c327050f935285cb00fdda0ab1dec6b7f60fbea43db90a5f9b5b71f63ac5aaa38725173f45489e52afb2aef13bd22e15c1baf85f56cc7b966f0dac1f7a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hnpwu3id.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
4a555e887b1c3740fca642c385214834

SHA1
ce7a1e930194e617bc65c66a37ec4baad2f7412b

SHA256
e575e6487fa393b5aedd5562178f4663a8331390654ff1b459402320ac55c8e9

SHA512
b1adcc438d73fbd452443b35e5a53007d2f6a394591af8fea22cf880eafcd28a93ff161334de107e04e025018d0f83caa7386ad481c7995180093ec669329bd0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hnpwu3id.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
8603dbc20e2407a6664ca84fb9b1e032

SHA1
5aa6c46da823bc78e46ae48f99a6fed305ecec7e

SHA256
6a8c7ce319628528ca58d5f462718d3b597a713fe68f3c6e2afd187370f20640

SHA512
22097c535b16767f1bba24337dde15f5ba9212a0f7092f6c52cec6f843332b0226a27bfd2e7ff38503e7267116e7fc938a6a31d38a83d3c4680620a81fa87187

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hnpwu3id.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
8b734a31443f812bd20205cb5f80a735

SHA1
83f5d86ca40f75c8f96667b00fa0ee358eda254d

SHA256
cf57244d1f2aa12e0e1c87b2741683f5e0b7d5b03208dd859ade18129bdb6014

SHA512
53d2e5dd873e70a82bcfbc909f632c7d5b9e486e58ef7069703ddcdccad27c9ebcba034ca105c2d5df05442357303122163686b3913d15fa1ea41a21bf8d5c29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hnpwu3id.default-release\datareporting\glean\pending_pings\0ab8e366-1221-4089-9272-520ad86f835f

Filesize
16KB

MD5
20b5ee8252ac92f216a82534a85a89e6

SHA1
e7fbdbc2095e34b59cda12018e2de01c525adf39

SHA256
edfa8f3c32aedfec231be635a209710071148c19f6b35059be1aac11996628f9

SHA512
a92c83c73466f87f80faf8666916baee8cd1a57ead8dfd9c0ffceb67479184aee4a7ee2a9a8a191ea2e6723d49dcf59ab802b03e7a30dcef6418b55792c9b741

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hnpwu3id.default-release\datareporting\glean\pending_pings\5ce2ccb5-d26b-4c2e-bead-9e1c79badd5a

Filesize
235B

MD5
2359006c99646d99afe5c9346b48d1c4

SHA1
db4db94576f7f0d967285c7dc84b5976c0c9beb6

SHA256
a0e076a8cc135e16f3963b1fcbced801579f0e976de0a310a00ed9c95c8a95df

SHA512
9701501a1e261a54fe3d8fea058957b2a0da116eed6413c89f8a8fb0e935db316ac2b43c2a6a307ed557d1f62e377d8fd427233d8e68f664ab9b3520354bfc5d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hnpwu3id.default-release\datareporting\glean\pending_pings\a4fc3c97-009c-42e8-ba39-46b2609a21d5

Filesize
2KB

MD5
761960e1b16dc65f25c850174679a8ec

SHA1
73eed46dbe086db6bb8a8f5ff1bce003b869a2e2

SHA256
96645277a80c33fd59f80ecbbe30cdd7e0c79a84a203ccbe2f96f38ba0fc1180

SHA512
1c800e6da38ef9a6513e1e1c1987a8972d2b0171a10270633ad8353bf895c2ffbbe5686798616200c18933cddebb52fb54ffac2e9dd7437ff4312f6a07eaa866

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hnpwu3id.default-release\datareporting\glean\pending_pings\e145aa45-967c-41cf-ad74-c2234cb740c0

Filesize
883B

MD5
056608624a189b178ed4aab66dce1e93

SHA1
5fcf369efa8b4855d5580cc45e613ce626e32675

SHA256
63a702c93d31962c0707647e1775021b273323271dcaca6beafffbe8f9fdebc7

SHA512
b0beb388095bc9f354e77f11c25e3cef6f19f4bbc43a8c926442ecf7fbb2330ad865204265cc3f704a88eec11f02f4662434e295b67b17bde6c03061bf31c863

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hnpwu3id.default-release\datareporting\glean\pending_pings\e3a4e548-7457-441a-95f7-bd671c36a882

Filesize
235B

MD5
ade2e51a3da221ac01ad30ea202b1a14

SHA1
4d16e36520c01a09d096a575d71d2a4faa56ee6f

SHA256
e9e0e141b06eca373a47bdfa7d7ea3c1a8df2f40c66df218bf2587538ff579b2

SHA512
7e991c2490caaebf908429a262e9a5e021f8596b3b91cfc16e8e8102dddb265a2a5135e1916c6b36cd17b3fd1320ad79b1d8b0cbfd387d44b4b04b45e119d858

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hnpwu3id.default-release\datareporting\glean\pending_pings\f09c575c-3827-4deb-85a5-b576ba97db38

Filesize
886B

MD5
2cfbc69d21503f9cb1d0ecd83f90bd9b

SHA1
70d4a2754e002bee9f9e4d1a1d22f31156a725e0

SHA256
007683f301e9d2df60e47a86480a83d3aff75400508081f6c589bef1d5216676

SHA512
40c05d97c89ff9d9639c945be05360fbd1442e0d7a3ffc9fd30c2cc1d62df9412ac234fee426185a8535325c1dcdb59c463d7882c3fc2b3cf5ff88c4a1f0444c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hnpwu3id.default-release\prefs.js

Filesize
6KB

MD5
c5ece7d1f5202aa2326634fe87a1b48f

SHA1
0f2f4f4bb152ff406cb033ad54c766cca868241e

SHA256
127a194f8d3c5976b5366ee2a06cd490070b3be0ba52e6abbea6ff84fe340f79

SHA512
872aa0304483c93da2023ac72130adb29c378a0a371090765ef129ffc8c4b13353a916aa11634fe7b463796471cd7d89cc32d6f33e4cf0fb1e477b7531d807a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hnpwu3id.default-release\prefs.js

Filesize
6KB

MD5
01d81cf58f8c22c981b87c42057a81d8

SHA1
171087c5a6032031cbc195f7d8b9024f0fdad76b

SHA256
0982a93774a35a20a06eaeb02b17050a3abecf132738ff82b6cecc722691c8a9

SHA512
ed39e9a6441fb3e8dabca73f8409766da2cafb3bbd0ef71cdd4084ffe4711ae2dc6e01d320ada5c8ed60cc61335397236b4a4cabbf046f83c8ff1794f7c933e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hnpwu3id.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hnpwu3id.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.8MB

MD5
cd8054a7e4af393c4ece91d57fa83c7a

SHA1
dfa3a95fa443c1e045be5576847492ff2a81b0af

SHA256
036b7afa9aa97b64bf4e43312cb8a9b97e7fa32bf8b88d853272d61eb0bf1239

SHA512
0fdde76b027741019255f10203cb67e8e89270bdf2d9f99d99a5ad5434dd242f8a92c325dd2321d648b1337ad724f388e08063cc94718c3b4124432c6679beff

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\Client.exe

Filesize
112KB

MD5
ae4d2ce16c802796d3b052c98f380df0

SHA1
a2744daae12f133c6b6be3e366ac90947bbed748

SHA256
b56aa51e6c3e6d8e4ed7a15a1480033741ee27d2e35957be742f9d799ad828f7

SHA512
bfb5225d6411c913ec098ff70311302dfff76f52addb527e2790b8b766ada513af453bad0f5d3f8caa7993558fe7ebc7a2bb5ad33c5a5ad260dde6f039fe842f

Download Submit
memory/2880-0-0x000000007476E000-0x000000007476F000-memory.dmp

Filesize
4KB

Download
memory/2880-1-0x0000000000E60000-0x0000000000E82000-memory.dmp

Filesize
136KB

Download
memory/5300-467-0x0000000006530000-0x000000000654E000-memory.dmp

Filesize
120KB

Download
memory/5300-466-0x0000000006080000-0x00000000063D7000-memory.dmp

Filesize
3.3MB

Download
memory/5300-474-0x0000000007A00000-0x0000000007A22000-memory.dmp

Filesize
136KB

Download
memory/5300-473-0x0000000007A70000-0x0000000007B06000-memory.dmp

Filesize
600KB

Download
memory/5300-472-0x0000000007910000-0x000000000792A000-memory.dmp

Filesize
104KB

Download
memory/5300-471-0x0000000007F70000-0x00000000085EA000-memory.dmp

Filesize
6.5MB

Download
memory/5300-470-0x0000000007870000-0x00000000078E6000-memory.dmp

Filesize
472KB

Download
memory/5300-469-0x0000000007560000-0x00000000075A4000-memory.dmp

Filesize
272KB

Download
memory/5300-468-0x00000000065E0000-0x000000000662C000-memory.dmp

Filesize
304KB

Download
memory/5300-453-0x0000000004EB0000-0x0000000004EE6000-memory.dmp

Filesize
216KB

Download
memory/5300-454-0x0000000005670000-0x0000000005D3A000-memory.dmp

Filesize
6.8MB

Download
memory/5300-455-0x0000000005D90000-0x0000000005DB2000-memory.dmp

Filesize
136KB

Download
memory/5300-461-0x0000000005E30000-0x0000000005E96000-memory.dmp

Filesize
408KB

Download
memory/5880-9-0x0000000074760000-0x0000000074F11000-memory.dmp

Filesize
7.7MB

Download
memory/5880-12-0x0000000006740000-0x0000000006CE6000-memory.dmp

Filesize
5.6MB

Download
memory/5880-5-0x0000000074760000-0x0000000074F11000-memory.dmp

Filesize
7.7MB

Download
memory/5880-452-0x0000000001040000-0x0000000001048000-memory.dmp

Filesize
32KB

Download
memory/5880-15-0x0000000008CD0000-0x0000000008CDA000-memory.dmp

Filesize
40KB

Download
memory/5880-10-0x0000000074760000-0x0000000074F11000-memory.dmp

Filesize
7.7MB

Download
memory/5880-11-0x0000000006180000-0x000000000618A000-memory.dmp

Filesize
40KB

Download
memory/5880-8-0x0000000005DD0000-0x0000000005E36000-memory.dmp

Filesize
408KB

Download
memory/5880-13-0x00000000062A0000-0x0000000006332000-memory.dmp

Filesize
584KB

Download
memory/5880-14-0x0000000006290000-0x000000000629A000-memory.dmp

Filesize
40KB

Download
memory/5880-475-0x0000000001050000-0x000000000105C000-memory.dmp

Filesize
48KB

Download
memory/5880-477-0x0000000001490000-0x00000000014A2000-memory.dmp

Filesize
72KB

Download
memory/5880-480-0x00000000013D0000-0x00000000013DA000-memory.dmp

Filesize
40KB

Download
memory/5880-481-0x0000000074760000-0x0000000074F11000-memory.dmp

Filesize
7.7MB

Download
memory/5880-482-0x0000000074760000-0x0000000074F11000-memory.dmp

Filesize
7.7MB

Download