xenorat | 2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a

General

Target

2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
Size

243KB
MD5

d8f6115b7622aae1932adce73e6a22ae
SHA1

f7cf718ab1af7a1c14788a29bddd2a9a2204a0d8
SHA256

2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a
SHA512

c8bb38387467b5ae0fb19d9fa5aa1086eb099de8d878ec000633daec9d27a149ed8943ec26e375d6c0799b2f32f0d72c12bb9ee78cd447fc6c855a0b75300cd6
SSDEEP

6144:nmqwqSDBvqTGEi35YZcUuZhFwoc+XQ34utDPG3HWC+AgxQkWvI:nmpDBvqTGhiZcUkhCocfDe3HWC+AgxQQ

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

C2

dns.requimacofradian.site

Mutex

Xeno_rat_nd8828g

Attributes

delay
60000
install_path
appdata
port
1253
startup_name
dic

Signatures

Detects XenoRAT malware 3 IoCs

XenoRAT is an open-source remote access tool (RAT) developed in C#.

rat

Processes:

resource	yara_rule
behavioral1/memory/2440-8-0x0000000000400000-0x0000000000412000-memory.dmp	XenoRAT
behavioral1/memory/2440-16-0x0000000000400000-0x0000000000412000-memory.dmp	XenoRAT
behavioral1/memory/2440-6-0x0000000000400000-0x0000000000412000-memory.dmp	XenoRAT

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Executes dropped EXE 4 IoCs

Processes:

2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe

pid	process
2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
2580	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
2536	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
2564	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe

Loads dropped DLL 4 IoCs

Processes:

2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe

pid	process
2720	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe

description	pid	process	target process
PID 2196 set thread context of 2440	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 set thread context of 2720	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 set thread context of 3064	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 set thread context of 2580	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 set thread context of 2536	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 set thread context of 2564	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2456 schtasks.exe

pid	process
2456	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe

description	pid	process
Token: SeDebugPrivilege	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
Token: SeDebugPrivilege	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe

C:\Users\Admin\AppData\Local\Temp\2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
"C:\Users\Admin\AppData\Local\Temp\2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196

C:\Users\Admin\AppData\Local\Temp\2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
C:\Users\Admin\AppData\Local\Temp\2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
2⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
C:\Users\Admin\AppData\Local\Temp\2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Roaming\XenoManager\2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792

C:\Users\Admin\AppData\Roaming\XenoManager\2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
C:\Users\Admin\AppData\Roaming\XenoManager\2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
4⤵
- Executes dropped EXE
PID:2580

C:\Users\Admin\AppData\Roaming\XenoManager\2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
C:\Users\Admin\AppData\Roaming\XenoManager\2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
4⤵
- Executes dropped EXE
PID:2536

C:\Users\Admin\AppData\Roaming\XenoManager\2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
C:\Users\Admin\AppData\Roaming\XenoManager\2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
4⤵
- Executes dropped EXE
PID:2564

C:\Users\Admin\AppData\Local\Temp\2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
C:\Users\Admin\AppData\Local\Temp\2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "dic" /XML "C:\Users\Admin\AppData\Local\Temp\tmp32C.tmp" /F
3⤵
- Creates scheduled task(s)
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp32C.tmp
Filesize
1KB

MD5
29e2b4b29fb503c5af56dd8b66f0f80a

SHA1
da9b34bba6aa712840618b8cdcab25354223213c

SHA256
9e345ffba2b9f6938fca1a36b69ce5d7208c6e63c925994925b04e1a93a1c222

SHA512
1d2c3e005b9724a987e7728f971a8e5a9e10fb544f39ef36de024e8c035e580a88e7eed318b79e751187e2557add308caa7a612515c0e897c51db0b4573cc8e4

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
Filesize
243KB

MD5
d8f6115b7622aae1932adce73e6a22ae

SHA1
f7cf718ab1af7a1c14788a29bddd2a9a2204a0d8

SHA256
2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a

SHA512
c8bb38387467b5ae0fb19d9fa5aa1086eb099de8d878ec000633daec9d27a149ed8943ec26e375d6c0799b2f32f0d72c12bb9ee78cd447fc6c855a0b75300cd6

Download Submit
memory/2196-26-0x00000000746E0000-0x0000000074DCE000-memory.dmp

Filesize
6.9MB

Download
memory/2196-0-0x00000000746EE000-0x00000000746EF000-memory.dmp

Filesize
4KB

Download
memory/2196-4-0x00000000746E0000-0x0000000074DCE000-memory.dmp

Filesize
6.9MB

Download
memory/2196-5-0x0000000000500000-0x0000000000506000-memory.dmp

Filesize
24KB

Download
memory/2196-3-0x0000000000B70000-0x0000000000BB0000-memory.dmp

Filesize
256KB

Download
memory/2196-1-0x0000000001320000-0x0000000001366000-memory.dmp

Filesize
280KB

Download
memory/2196-2-0x0000000000530000-0x0000000000536000-memory.dmp

Filesize
24KB

Download
memory/2440-8-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2440-24-0x00000000746E0000-0x0000000074DCE000-memory.dmp

Filesize
6.9MB

Download
memory/2440-23-0x00000000746E0000-0x0000000074DCE000-memory.dmp

Filesize
6.9MB

Download
memory/2440-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2440-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2720-25-0x00000000746E0000-0x0000000074DCE000-memory.dmp

Filesize
6.9MB

Download
memory/2720-34-0x00000000746E0000-0x0000000074DCE000-memory.dmp

Filesize
6.9MB

Download
memory/2792-33-0x0000000000240000-0x0000000000286000-memory.dmp

Filesize
280KB

Download

description	pid	process	target process
PID 2196 wrote to memory of 2440	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 2440	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 2440	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 2440	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 2440	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 2440	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 2440	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 2440	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 2440	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 2720	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 2720	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 2720	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 2720	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 2720	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 2720	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 2720	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 2720	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 2720	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 3064	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 3064	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 3064	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 3064	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 3064	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 3064	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 3064	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 3064	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2196 wrote to memory of 3064	2196	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2720 wrote to memory of 2792	2720	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2720 wrote to memory of 2792	2720	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2720 wrote to memory of 2792	2720	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2720 wrote to memory of 2792	2720	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2580	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2580	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2580	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2580	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2580	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2580	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2580	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2580	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2580	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2536	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2536	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2536	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2536	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2536	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2536	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2536	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2536	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2536	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2564	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2564	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2564	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2564	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2564	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2564	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2564	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2564	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 2792 wrote to memory of 2564	2792	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe
PID 3064 wrote to memory of 2456	3064	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	schtasks.exe
PID 3064 wrote to memory of 2456	3064	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	schtasks.exe
PID 3064 wrote to memory of 2456	3064	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	schtasks.exe
PID 3064 wrote to memory of 2456	3064	2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a.exe	schtasks.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads