Malware Analysis Report

2024-08-06 18:19

Sample ID 240601-b5xvhadd8t
Target acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
SHA256 acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e
Tags
xenorat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e

Threat Level: Known bad

The file acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe was found to be: Known bad.

Malicious Activity Summary

xenorat rat trojan

XenorRat

Detects executables packed with ConfuserEx Mod

Detects executables packed with ConfuserEx Mod

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-01 01:44

Signatures

Detects executables packed with ConfuserEx Mod

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 01:44

Reported

2024-06-01 01:46

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe"

Signatures

XenorRat

trojan rat xenorat

Detects executables packed with ConfuserEx Mod

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 848 set thread context of 928 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 set thread context of 3432 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 set thread context of 2648 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 set thread context of 1760 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 set thread context of 4956 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 set thread context of 4372 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 848 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 848 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 3432 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 3432 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 3432 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1356 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 1760 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

"C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe"

C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2648 -ip 2648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 928 -ip 928

C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 80

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 12

C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4956 -ip 4956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 80

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "hns" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3870.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 dns.dobiamfollollc.online udp
NL 94.156.66.169:1284 dns.dobiamfollollc.online tcp
NL 94.156.66.169:1284 dns.dobiamfollollc.online tcp
NL 94.156.66.169:1284 dns.dobiamfollollc.online tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
NL 94.156.66.169:1284 dns.dobiamfollollc.online tcp
NL 94.156.66.169:1284 dns.dobiamfollollc.online tcp
NL 94.156.66.169:1284 dns.dobiamfollollc.online tcp
NL 94.156.66.169:1284 dns.dobiamfollollc.online tcp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

memory/848-0-0x000000007527E000-0x000000007527F000-memory.dmp

memory/848-1-0x00000000001E0000-0x0000000000226000-memory.dmp

memory/848-2-0x0000000002440000-0x0000000002446000-memory.dmp

memory/848-3-0x0000000075270000-0x0000000075A20000-memory.dmp

memory/848-4-0x0000000004B40000-0x0000000004B80000-memory.dmp

memory/848-5-0x0000000004D60000-0x0000000004DFC000-memory.dmp

memory/848-6-0x00000000053B0000-0x0000000005954000-memory.dmp

memory/848-7-0x0000000004EA0000-0x0000000004F32000-memory.dmp

memory/848-8-0x0000000004D00000-0x0000000004D06000-memory.dmp

memory/3432-9-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe.log

MD5 d95c58e609838928f0f49837cab7dfd2
SHA1 55e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA256 0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512 405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

memory/848-14-0x0000000075270000-0x0000000075A20000-memory.dmp

memory/3432-15-0x0000000075270000-0x0000000075A20000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

MD5 46d15e0b7105b6a1e499843065583960
SHA1 71119b1d895f728026a27d6d7db519f6d0044baa
SHA256 acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e
SHA512 ec546e0ed7cad0ac2f518e64041da796a386f3ae368ab1abd49642827b7e1ebda06afa8ca90fbc660e752fa051edf6215958c7bb4d09237a6c1e6c694acaca73

memory/1356-26-0x0000000075270000-0x0000000075A20000-memory.dmp

memory/3432-28-0x0000000075270000-0x0000000075A20000-memory.dmp

memory/1356-29-0x0000000075270000-0x0000000075A20000-memory.dmp

memory/1760-32-0x0000000075270000-0x0000000075A20000-memory.dmp

memory/1356-37-0x0000000075270000-0x0000000075A20000-memory.dmp

memory/1760-38-0x0000000075270000-0x0000000075A20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3870.tmp

MD5 58e3ad5180e248abb84cd8ce2a7cc39f
SHA1 2414a1c1c5955829adca694a592414a90b3b8dba
SHA256 d952bf289e66d448779bf833c2f724b0ea9685d7e75b8d165b6733d422d800e3
SHA512 fe9e341b1b3ee2627c9b49bd09184f7eb46bd580de25ccc6175b81dafd5668761feffd6a0e2f4f87db5dfe36a54135c2afe6a21455fa74bdec74ad30790f6b94

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 01:44

Reported

2024-06-01 01:46

Platform

win7-20240221-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe"

Signatures

XenorRat

trojan rat xenorat

Detects executables packed with ConfuserEx Mod

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2744 set thread context of 2944 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 set thread context of 3020 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 set thread context of 2624 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 set thread context of 2420 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 set thread context of 2460 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 set thread context of 1988 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2744 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2744 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 3020 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 3020 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 3020 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 3020 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2672 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe
PID 2944 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Windows\SysWOW64\schtasks.exe
PID 2944 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Windows\SysWOW64\schtasks.exe
PID 2944 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Windows\SysWOW64\schtasks.exe
PID 2944 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

"C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe"

C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Users\Admin\AppData\Local\Temp\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "hns" /XML "C:\Users\Admin\AppData\Local\Temp\tmp70EC.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 dns.dobiamfollollc.online udp
NL 94.156.66.169:1284 dns.dobiamfollollc.online tcp
NL 94.156.66.169:1284 dns.dobiamfollollc.online tcp
NL 94.156.66.169:1284 dns.dobiamfollollc.online tcp
NL 94.156.66.169:1284 dns.dobiamfollollc.online tcp
NL 94.156.66.169:1284 dns.dobiamfollollc.online tcp
NL 94.156.66.169:1284 dns.dobiamfollollc.online tcp
NL 94.156.66.169:1284 dns.dobiamfollollc.online tcp
NL 94.156.66.169:1284 dns.dobiamfollollc.online tcp

Files

memory/2744-0-0x000000007486E000-0x000000007486F000-memory.dmp

memory/2744-1-0x0000000000AB0000-0x0000000000AF6000-memory.dmp

memory/2744-2-0x00000000002E0000-0x00000000002E6000-memory.dmp

memory/2744-3-0x0000000074860000-0x0000000074F4E000-memory.dmp

memory/2744-4-0x0000000000240000-0x0000000000280000-memory.dmp

memory/2744-5-0x0000000000290000-0x0000000000296000-memory.dmp

memory/2944-8-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2944-16-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2944-6-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2944-23-0x0000000074860000-0x0000000074F4E000-memory.dmp

memory/3020-24-0x0000000074860000-0x0000000074F4E000-memory.dmp

memory/2744-25-0x0000000074860000-0x0000000074F4E000-memory.dmp

\Users\Admin\AppData\Roaming\XenoManager\acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e.exe

MD5 46d15e0b7105b6a1e499843065583960
SHA1 71119b1d895f728026a27d6d7db519f6d0044baa
SHA256 acb620ecc1205abaff13777bd804a1f921a420c0c4765f1c6682c927f1b66f6e
SHA512 ec546e0ed7cad0ac2f518e64041da796a386f3ae368ab1abd49642827b7e1ebda06afa8ca90fbc660e752fa051edf6215958c7bb4d09237a6c1e6c694acaca73

memory/3020-32-0x0000000074860000-0x0000000074F4E000-memory.dmp

memory/2672-33-0x0000000001030000-0x0000000001076000-memory.dmp

memory/2944-49-0x0000000074860000-0x0000000074F4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp70EC.tmp

MD5 6411919d566397be188fa6ea768f97cc
SHA1 d7abf0d441e7f74f78280fc915aec45b06551a90
SHA256 8f0123d2f5ca8c43bb6b52bb688e48477f5e6fcffb0b564fd0c8e03d804d34ab
SHA512 f11f176dee133edb40ff316c3f2e8e4c0c744aaa91d780b81654a2b1d797b5511fa4328f3ec6852abc3f858d2559188db46b9dd0ccf1eb8c4b769c1e95d85e49

memory/2944-52-0x0000000074860000-0x0000000074F4E000-memory.dmp

memory/2944-53-0x0000000074860000-0x0000000074F4E000-memory.dmp