Malware Analysis Report

2024-08-06 18:36

Sample ID 240515-bkfeqaab57
Target 3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
SHA256 3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f
Tags
xenorat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f

Threat Level: Known bad

The file 3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe was found to be: Known bad.

Malicious Activity Summary

xenorat rat trojan

XenorRat

Detects executables packed with ConfuserEx Mod

Detects executables packed with ConfuserEx Mod

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-15 01:11

Signatures

Detects executables packed with ConfuserEx Mod

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 01:11

Reported

2024-05-15 01:14

Platform

win7-20240508-en

Max time kernel

127s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe"

Signatures

XenorRat

trojan rat xenorat

Detects executables packed with ConfuserEx Mod

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1900 set thread context of 2976 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 set thread context of 2312 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 set thread context of 2300 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 set thread context of 2468 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 set thread context of 2516 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 set thread context of 1852 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1900 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 1900 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2312 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2312 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2312 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2312 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2488 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2976 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Windows\SysWOW64\schtasks.exe
PID 2976 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Windows\SysWOW64\schtasks.exe
PID 2976 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Windows\SysWOW64\schtasks.exe
PID 2976 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

"C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe"

C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "bns" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1890.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 dns.dobiamfollollc.online udp
NL 94.156.68.125:1283 dns.dobiamfollollc.online tcp
NL 94.156.68.125:1283 dns.dobiamfollollc.online tcp
NL 94.156.68.125:1283 dns.dobiamfollollc.online tcp

Files

memory/1900-0-0x000000007464E000-0x000000007464F000-memory.dmp

memory/1900-1-0x0000000000D30000-0x0000000000D76000-memory.dmp

memory/1900-2-0x00000000002A0000-0x00000000002A6000-memory.dmp

memory/1900-3-0x00000000003E0000-0x0000000000420000-memory.dmp

memory/1900-4-0x0000000074640000-0x0000000074D2E000-memory.dmp

memory/1900-5-0x0000000000250000-0x0000000000256000-memory.dmp

memory/2976-8-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2976-6-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2976-15-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2976-23-0x0000000074640000-0x0000000074D2E000-memory.dmp

memory/2312-24-0x0000000074640000-0x0000000074D2E000-memory.dmp

memory/1900-25-0x0000000074640000-0x0000000074D2E000-memory.dmp

memory/2488-33-0x00000000000C0000-0x0000000000106000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

MD5 83e7f4ab1716acc476ec084ce84861a1
SHA1 64e8e30193ad042474c157865f8938d101fa4f80
SHA256 3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f
SHA512 3958276eded5fc7b18c418b686a643f09b4a0025c87d2bf15e66b07ffd5c1ad86467a4c9b201ca1cd619a18d334ab92ed2dbb071d7ff9adb9209793403e9747f

memory/2312-31-0x0000000074640000-0x0000000074D2E000-memory.dmp

memory/2976-44-0x0000000074640000-0x0000000074D2E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1890.tmp

MD5 5c1da78b54cdef7299dca4961c32226f
SHA1 45e1f755ffe5e96729052377c3b8d4134e2ce7e7
SHA256 389f747a28ef742f05f56297a11cba8aef0ac4eaa3da1695120879392986c98f
SHA512 ae272bb36f0228fc6382144c952524c281606c92f8536535b4a1bbe1abdc41008ea2c0edf00c54bf89cb70bc87ea4a403a6733dbd39f3904510ebd08b6730f32

memory/2976-47-0x0000000074640000-0x0000000074D2E000-memory.dmp

memory/2976-48-0x0000000074640000-0x0000000074D2E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 01:11

Reported

2024-05-15 01:14

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe"

Signatures

XenorRat

trojan rat xenorat

Detects executables packed with ConfuserEx Mod

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 628 set thread context of 2412 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 set thread context of 3032 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 set thread context of 3888 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 set thread context of 2248 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 set thread context of 4324 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 set thread context of 3544 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 628 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 628 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 3888 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 3888 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 3888 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 2540 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe
PID 3032 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Windows\SysWOW64\schtasks.exe
PID 3032 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Windows\SysWOW64\schtasks.exe
PID 3032 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

"C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe"

C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Users\Admin\AppData\Local\Temp\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2412 -ip 2412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 80

C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "bns" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3479.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 dns.dobiamfollollc.online udp
NL 94.156.68.125:1283 dns.dobiamfollollc.online tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
NL 94.156.68.125:1283 dns.dobiamfollollc.online tcp
NL 94.156.68.125:1283 dns.dobiamfollollc.online tcp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

memory/628-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

memory/628-1-0x00000000007E0000-0x0000000000826000-memory.dmp

memory/628-2-0x0000000005110000-0x0000000005116000-memory.dmp

memory/628-3-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/628-4-0x0000000005280000-0x00000000052C0000-memory.dmp

memory/628-5-0x00000000054A0000-0x000000000553C000-memory.dmp

memory/628-6-0x0000000005AF0000-0x0000000006094000-memory.dmp

memory/628-7-0x00000000055E0000-0x0000000005672000-memory.dmp

memory/628-8-0x0000000005440000-0x0000000005446000-memory.dmp

memory/3032-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/628-15-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/3032-14-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/3888-16-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/3032-17-0x0000000074D90000-0x0000000075540000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe

MD5 83e7f4ab1716acc476ec084ce84861a1
SHA1 64e8e30193ad042474c157865f8938d101fa4f80
SHA256 3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f
SHA512 3958276eded5fc7b18c418b686a643f09b4a0025c87d2bf15e66b07ffd5c1ad86467a4c9b201ca1cd619a18d334ab92ed2dbb071d7ff9adb9209793403e9747f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f.exe.log

MD5 d95c58e609838928f0f49837cab7dfd2
SHA1 55e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA256 0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512 405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

memory/2540-29-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/3888-30-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/2540-37-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/3032-38-0x0000000074D90000-0x0000000075540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3479.tmp

MD5 5c1da78b54cdef7299dca4961c32226f
SHA1 45e1f755ffe5e96729052377c3b8d4134e2ce7e7
SHA256 389f747a28ef742f05f56297a11cba8aef0ac4eaa3da1695120879392986c98f
SHA512 ae272bb36f0228fc6382144c952524c281606c92f8536535b4a1bbe1abdc41008ea2c0edf00c54bf89cb70bc87ea4a403a6733dbd39f3904510ebd08b6730f32