xenorat | ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8

General

Target

ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
Size

242KB
MD5

e3194e68bfa1155b7a5d0e895f9eccf1
SHA1

99de13f1eae283988d21f9f07a2646efaf55bc6e
SHA256

ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8
SHA512

8e49b770e629983cc375899a91fb6f9981a0bc60f07a76446a933be44886e124b54864535c6050dc8792d558d636ca0ce52649786af74b88b593e61d3daf97b0
SSDEEP

6144:vUFRBdL5W/ldm/mGniJA07X7lBL/EMx4RpFLhBvuX/PFj0SP26Lzj2Y8qG+hBs7N:QvnW/4mGZ0rhd/ERRHzGPPNj2Y8qG+hI

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

C2

dns.dobiamfollollc.online

Mutex

Solid_rat_nd8889g

Attributes

delay
61000
install_path
appdata
port
1283
startup_name
bns

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Detects executables packed with ConfuserEx Mod 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/560-1-0x00000000005C0000-0x0000000000606000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/memory/560-4-0x0000000004EC0000-0x0000000004F00000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
C:\Users\Admin\AppData\Roaming\XenoManager\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	INDICATOR_EXE_Packed_ConfuserEx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe

Executes dropped EXE 4 IoCs

Processes:

ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exeddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exeddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exeddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe

pid	process
1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
1208	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
1464	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
1880	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exeddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe

description	pid	process	target process
PID 560 set thread context of 2400	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 set thread context of 2512	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 set thread context of 956	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 set thread context of 1208	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 set thread context of 1464	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 set thread context of 1880	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
1692	2512	WerFault.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
4080	1464	WerFault.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3020 schtasks.exe

pid	process
3020	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exeddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe

description	pid	process
Token: SeDebugPrivilege	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
Token: SeDebugPrivilege	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exeddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exeddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exeddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe

C:\Users\Admin\AppData\Local\Temp\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
"C:\Users\Admin\AppData\Local\Temp\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560

C:\Users\Admin\AppData\Local\Temp\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
C:\Users\Admin\AppData\Local\Temp\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2400

C:\Users\Admin\AppData\Roaming\XenoManager\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Roaming\XenoManager\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
C:\Users\Admin\AppData\Roaming\XenoManager\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
4⤵
- Executes dropped EXE
PID:1208

C:\Users\Admin\AppData\Roaming\XenoManager\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
C:\Users\Admin\AppData\Roaming\XenoManager\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
4⤵
- Executes dropped EXE
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 80
5⤵
- Program crash
PID:4080

C:\Users\Admin\AppData\Roaming\XenoManager\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
C:\Users\Admin\AppData\Roaming\XenoManager\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
4⤵
- Executes dropped EXE
PID:1880

C:\Users\Admin\AppData\Local\Temp\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
C:\Users\Admin\AppData\Local\Temp\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
2⤵
PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 80
3⤵
- Program crash
PID:1692

C:\Users\Admin\AppData\Local\Temp\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
C:\Users\Admin\AppData\Local\Temp\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "bns" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD983.tmp" /F
3⤵
- Creates scheduled task(s)
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2512 -ip 2512
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 1464 -ip 1464
1⤵
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3960,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8
1⤵
PID:380

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe.log
Filesize
706B

MD5
d95c58e609838928f0f49837cab7dfd2

SHA1
55e7139a1e3899195b92ed8771d1ca2c7d53c916

SHA256
0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

SHA512
405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD983.tmp
Filesize
1KB

MD5
13d0b2f0ba551e25b4c373ea3555151d

SHA1
3971d0c1bd2f13a2bd38845f0b945fb5a3cf3640

SHA256
787ca9156b4d661abf167edfdc6e89dc50c3a76500dc86943a763506942e470c

SHA512
41536d9129b8612837e128529a0a78649e228b6f578162545f275ca699574d9211d37e7f1fbe257e2c2843e0816c71570f8d1601fe0d3656bd76d39a91052b79

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
Filesize
242KB

MD5
e3194e68bfa1155b7a5d0e895f9eccf1

SHA1
99de13f1eae283988d21f9f07a2646efaf55bc6e

SHA256
ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8

SHA512
8e49b770e629983cc375899a91fb6f9981a0bc60f07a76446a933be44886e124b54864535c6050dc8792d558d636ca0ce52649786af74b88b593e61d3daf97b0

Download Submit
memory/560-8-0x00000000027D0000-0x00000000027D6000-memory.dmp

Filesize
24KB

Download
memory/560-0-0x00000000751DE000-0x00000000751DF000-memory.dmp

Filesize
4KB

Download
memory/560-5-0x000000000DAF0000-0x000000000DB8C000-memory.dmp

Filesize
624KB

Download
memory/560-6-0x000000000E140000-0x000000000E6E4000-memory.dmp

Filesize
5.6MB

Download
memory/560-7-0x000000000DC30000-0x000000000DCC2000-memory.dmp

Filesize
584KB

Download
memory/560-1-0x00000000005C0000-0x0000000000606000-memory.dmp

Filesize
280KB

Download
memory/560-3-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/560-4-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/560-15-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/560-2-0x0000000002920000-0x0000000002926000-memory.dmp

Filesize
24KB

Download
memory/956-24-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/956-16-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/956-38-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/1480-37-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/1480-30-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/2400-14-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/2400-29-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/2400-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

description	pid	process	target process
PID 560 wrote to memory of 2400	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 wrote to memory of 2400	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 wrote to memory of 2400	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 wrote to memory of 2400	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 wrote to memory of 2400	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 wrote to memory of 2400	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 wrote to memory of 2400	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 wrote to memory of 2400	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 wrote to memory of 2512	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 wrote to memory of 2512	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 wrote to memory of 2512	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 wrote to memory of 2512	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 wrote to memory of 2512	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 wrote to memory of 2512	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 wrote to memory of 2512	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 wrote to memory of 2512	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 wrote to memory of 956	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 wrote to memory of 956	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 wrote to memory of 956	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 wrote to memory of 956	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 wrote to memory of 956	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 wrote to memory of 956	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 wrote to memory of 956	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 560 wrote to memory of 956	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 2400 wrote to memory of 1480	2400	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 2400 wrote to memory of 1480	2400	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 2400 wrote to memory of 1480	2400	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1208	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1208	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1208	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1208	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1208	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1208	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1208	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1208	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1464	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1464	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1464	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1464	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1464	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1464	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1464	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1464	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1880	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1880	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1880	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1880	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1880	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1880	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1880	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 1480 wrote to memory of 1880	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
PID 956 wrote to memory of 3020	956	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	schtasks.exe
PID 956 wrote to memory of 3020	956	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	schtasks.exe
PID 956 wrote to memory of 3020	956	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	schtasks.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads