xenorat | dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38

General

Target

dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
Size

243KB
MD5

4aad0d0ea510075b228330ca1f55d242
SHA1

c43b2fa5fc86a597d7f9d2139dce34d017028388
SHA256

dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38
SHA512

532e5b415efd115d490c4ba60c6753bd7904a00eb5767554ec1744b2ee453a7bc81dd407215764b0361b738b50b2b2605f2ff5924dc8cbda3bafd03ffa38fc4c
SSDEEP

6144:1OYJ+Mul9FCrE+9Gheadlky0fXiJ+VCDsaBEx3EyVW6c7XFI:1NcMmbCrE+Tqky0cmr3EyVW6c7O

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

C2

dns.dobiamfollollc.online

Mutex

Solid_rat_nd8889g

Attributes

delay
61000
install_path
appdata
port
1283
startup_name
bns

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Detects executables packed with ConfuserEx Mod 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3128-1-0x00000000008B0000-0x00000000008F6000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/memory/3128-4-0x0000000005390000-0x00000000053D0000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
C:\Users\Admin\AppData\Roaming\XenoManager\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	INDICATOR_EXE_Packed_ConfuserEx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe

Executes dropped EXE 4 IoCs

Processes:

dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exedfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exedfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exedfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe

pid	process
4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
4104	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
1572	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
4048	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exedfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe

description	pid	process	target process
PID 3128 set thread context of 812	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 set thread context of 3700	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 set thread context of 544	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 set thread context of 4104	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 set thread context of 1572	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 set thread context of 4048	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4620	812	WerFault.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
1656	3700	WerFault.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
1112	4048	WerFault.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

8 schtasks.exe

pid	process
8	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exedfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe

description	pid	process
Token: SeDebugPrivilege	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
Token: SeDebugPrivilege	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exedfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exedfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exedfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe

C:\Users\Admin\AppData\Local\Temp\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
"C:\Users\Admin\AppData\Local\Temp\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
C:\Users\Admin\AppData\Local\Temp\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
2⤵
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 80
3⤵
- Program crash
PID:4620

C:\Users\Admin\AppData\Local\Temp\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
C:\Users\Admin\AppData\Local\Temp\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
2⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 80
3⤵
- Program crash
PID:1656

C:\Users\Admin\AppData\Local\Temp\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
C:\Users\Admin\AppData\Local\Temp\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Roaming\XenoManager\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664

C:\Users\Admin\AppData\Roaming\XenoManager\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
C:\Users\Admin\AppData\Roaming\XenoManager\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "bns" /XML "C:\Users\Admin\AppData\Local\Temp\tmp27E6.tmp" /F
5⤵
- Creates scheduled task(s)
PID:8

C:\Users\Admin\AppData\Roaming\XenoManager\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
C:\Users\Admin\AppData\Roaming\XenoManager\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
4⤵
- Executes dropped EXE
PID:1572

C:\Users\Admin\AppData\Roaming\XenoManager\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
C:\Users\Admin\AppData\Roaming\XenoManager\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
4⤵
- Executes dropped EXE
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 80
5⤵
- Program crash
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 812 -ip 812
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3700 -ip 3700
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4048 -ip 4048
1⤵
PID:3328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe.log
Filesize
706B

MD5
d95c58e609838928f0f49837cab7dfd2

SHA1
55e7139a1e3899195b92ed8771d1ca2c7d53c916

SHA256
0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

SHA512
405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp27E6.tmp
Filesize
1KB

MD5
975fbdd54786c9fe86b489fe77d39811

SHA1
f71a93fe94675dc7204059ae6595838c21cb1aef

SHA256
05b6f79798671f7e98c407e1857e2e725edb6428dda8f0e38162e5758655a5c2

SHA512
29073c00192448a742519bd73fa00a700b23a0e954ac5b781516f7eb7048e5cd89461848bc6e7f1ac353a7b26abdb7cc12668a8f83e2797291ace6c7546b4d9b

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
Filesize
243KB

MD5
4aad0d0ea510075b228330ca1f55d242

SHA1
c43b2fa5fc86a597d7f9d2139dce34d017028388

SHA256
dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38

SHA512
532e5b415efd115d490c4ba60c6753bd7904a00eb5767554ec1744b2ee453a7bc81dd407215764b0361b738b50b2b2605f2ff5924dc8cbda3bafd03ffa38fc4c

Download Submit
memory/544-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/544-27-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/544-15-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/3128-8-0x0000000005230000-0x0000000005236000-memory.dmp

Filesize
24KB

Download
memory/3128-7-0x0000000006680000-0x0000000006712000-memory.dmp

Filesize
584KB

Download
memory/3128-0-0x00000000748BE000-0x00000000748BF000-memory.dmp

Filesize
4KB

Download
memory/3128-6-0x0000000006C30000-0x00000000071D4000-memory.dmp

Filesize
5.6MB

Download
memory/3128-5-0x00000000065E0000-0x000000000667C000-memory.dmp

Filesize
624KB

Download
memory/3128-4-0x0000000005390000-0x00000000053D0000-memory.dmp

Filesize
256KB

Download
memory/3128-16-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/3128-3-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/3128-2-0x00000000012C0000-0x00000000012C6000-memory.dmp

Filesize
24KB

Download
memory/3128-1-0x00000000008B0000-0x00000000008F6000-memory.dmp

Filesize
280KB

Download
memory/4664-28-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/4664-29-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/4664-36-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download

description	pid	process	target process
PID 3128 wrote to memory of 812	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 wrote to memory of 812	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 wrote to memory of 812	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 wrote to memory of 812	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 wrote to memory of 812	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 wrote to memory of 812	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 wrote to memory of 812	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 wrote to memory of 812	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 wrote to memory of 3700	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 wrote to memory of 3700	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 wrote to memory of 3700	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 wrote to memory of 3700	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 wrote to memory of 3700	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 wrote to memory of 3700	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 wrote to memory of 3700	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 wrote to memory of 3700	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 wrote to memory of 544	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 wrote to memory of 544	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 wrote to memory of 544	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 wrote to memory of 544	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 wrote to memory of 544	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 wrote to memory of 544	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 wrote to memory of 544	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 3128 wrote to memory of 544	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 544 wrote to memory of 4664	544	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 544 wrote to memory of 4664	544	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 544 wrote to memory of 4664	544	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 4104	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 4104	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 4104	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 4104	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 4104	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 4104	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 4104	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 4104	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 1572	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 1572	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 1572	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 1572	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 1572	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 1572	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 1572	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 1572	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 4048	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 4048	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 4048	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 4048	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 4048	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 4048	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 4048	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4664 wrote to memory of 4048	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
PID 4104 wrote to memory of 8	4104	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	schtasks.exe
PID 4104 wrote to memory of 8	4104	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	schtasks.exe
PID 4104 wrote to memory of 8	4104	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	schtasks.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads