xenorat | 2c6977ae3de5f4439b178da21bd279e3181dfc394eaad65ed1b006dfb3b25d5b

General

Target

Odeme_Takvimi_Ocak-2024.xll
Size

832KB
MD5

8d31657e3cc733753f129c0a8ab9dd35
SHA1

c5d9d5ddba7c1d9ee76c6ee21a5f6dcad1dbe82e
SHA256

2c6977ae3de5f4439b178da21bd279e3181dfc394eaad65ed1b006dfb3b25d5b
SHA512

381adba099f21f6b0ffa1ca70709ea5d3c3d4e7f87dc205b14e947c0c2353988d20c9fcf7732ac46a4e06fe4cfd6aa975c08e8357e2454ef2863fdac63015e34
SSDEEP

12288:jG1N4HkcgMsiOd58bzbBSreWQ0uqZzD1reWabd/aEce45oJNb1qX90YdquL:joOOMX1m+QHT+dCEcelJJ1qtHPL

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

xenorat

C2

salutoepiesircam.sytes.net

Mutex

Xeno_rat_nd8911d

Attributes

delay
5000
install_path
appdata
port
4450
startup_name
setting

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c0846236-b8f5-443d-88cb-eed5107f3776.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	c0846236-b8f5-443d-88cb-eed5107f3776.exe

Executes dropped EXE 6 IoCs

Processes:

c0846236-b8f5-443d-88cb-eed5107f3776.exec0846236-b8f5-443d-88cb-eed5107f3776.exec0846236-b8f5-443d-88cb-eed5107f3776.exec0846236-b8f5-443d-88cb-eed5107f3776.exec0846236-b8f5-443d-88cb-eed5107f3776.exec0846236-b8f5-443d-88cb-eed5107f3776.exe

pid	process
3680	c0846236-b8f5-443d-88cb-eed5107f3776.exe
3956	c0846236-b8f5-443d-88cb-eed5107f3776.exe
2696	c0846236-b8f5-443d-88cb-eed5107f3776.exe
3224	c0846236-b8f5-443d-88cb-eed5107f3776.exe
3160	c0846236-b8f5-443d-88cb-eed5107f3776.exe
3040	c0846236-b8f5-443d-88cb-eed5107f3776.exe

Loads dropped DLL 2 IoCs

Processes:

EXCEL.EXE

pid process

1516 EXCEL.EXE
1516 EXCEL.EXE

pid	process
1516	EXCEL.EXE
1516	EXCEL.EXE

Suspicious use of SetThreadContext 4 IoCs

Processes:

c0846236-b8f5-443d-88cb-eed5107f3776.exec0846236-b8f5-443d-88cb-eed5107f3776.exe

description	pid	process	target process
PID 3680 set thread context of 3956	3680	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3680 set thread context of 2696	3680	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3224 set thread context of 3160	3224	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3224 set thread context of 3040	3224	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

944 3956 WerFault.exe c0846236-b8f5-443d-88cb-eed5107f3776.exe

pid	pid_target	process	target process
944	3956	WerFault.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3888 schtasks.exe

pid	process
3888	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1516 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

EXCEL.EXE

pid process

1516 EXCEL.EXE

pid	process
1516	EXCEL.EXE

pid	process
1516	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

EXCEL.EXEc0846236-b8f5-443d-88cb-eed5107f3776.exec0846236-b8f5-443d-88cb-eed5107f3776.exe

description	pid	process
Token: SeDebugPrivilege	1516	EXCEL.EXE
Token: SeDebugPrivilege	3680	c0846236-b8f5-443d-88cb-eed5107f3776.exe
Token: SeDebugPrivilege	3224	c0846236-b8f5-443d-88cb-eed5107f3776.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

1516 EXCEL.EXE
1516 EXCEL.EXE
Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

EXCEL.EXE

pid process

1516 EXCEL.EXE
1516 EXCEL.EXE
1516 EXCEL.EXE
1516 EXCEL.EXE
1516 EXCEL.EXE
1516 EXCEL.EXE
1516 EXCEL.EXE
1516 EXCEL.EXE
1516 EXCEL.EXE
1516 EXCEL.EXE

pid	process
1516	EXCEL.EXE
1516	EXCEL.EXE

pid	process
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

EXCEL.EXEc0846236-b8f5-443d-88cb-eed5107f3776.exec0846236-b8f5-443d-88cb-eed5107f3776.exec0846236-b8f5-443d-88cb-eed5107f3776.exec0846236-b8f5-443d-88cb-eed5107f3776.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Odeme_Takvimi_Ocak-2024.xll"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\c0846236-b8f5-443d-88cb-eed5107f3776.exe
"C:\Users\Admin\AppData\Local\Temp\c0846236-b8f5-443d-88cb-eed5107f3776.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680

C:\Users\Admin\AppData\Local\Temp\c0846236-b8f5-443d-88cb-eed5107f3776.exe
C:\Users\Admin\AppData\Local\Temp\c0846236-b8f5-443d-88cb-eed5107f3776.exe
3⤵
- Executes dropped EXE
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 80
4⤵
- Program crash
PID:944

C:\Users\Admin\AppData\Local\Temp\c0846236-b8f5-443d-88cb-eed5107f3776.exe
C:\Users\Admin\AppData\Local\Temp\c0846236-b8f5-443d-88cb-eed5107f3776.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Roaming\XenoManager\c0846236-b8f5-443d-88cb-eed5107f3776.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\c0846236-b8f5-443d-88cb-eed5107f3776.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224

C:\Users\Admin\AppData\Roaming\XenoManager\c0846236-b8f5-443d-88cb-eed5107f3776.exe
C:\Users\Admin\AppData\Roaming\XenoManager\c0846236-b8f5-443d-88cb-eed5107f3776.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "setting" /XML "C:\Users\Admin\AppData\Local\Temp\tmp782D.tmp" /F
6⤵
- Creates scheduled task(s)
PID:3888

C:\Users\Admin\AppData\Roaming\XenoManager\c0846236-b8f5-443d-88cb-eed5107f3776.exe
C:\Users\Admin\AppData\Roaming\XenoManager\c0846236-b8f5-443d-88cb-eed5107f3776.exe
5⤵
- Executes dropped EXE
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3956 -ip 3956
1⤵
PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\c0846236-b8f5-443d-88cb-eed5107f3776.exe.log
Filesize
706B

MD5
d95c58e609838928f0f49837cab7dfd2

SHA1
55e7139a1e3899195b92ed8771d1ca2c7d53c916

SHA256
0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

SHA512
405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Odeme_Takvimi_Ocak-2024.xll
Filesize
832KB

MD5
8d31657e3cc733753f129c0a8ab9dd35

SHA1
c5d9d5ddba7c1d9ee76c6ee21a5f6dcad1dbe82e

SHA256
2c6977ae3de5f4439b178da21bd279e3181dfc394eaad65ed1b006dfb3b25d5b

SHA512
381adba099f21f6b0ffa1ca70709ea5d3c3d4e7f87dc205b14e947c0c2353988d20c9fcf7732ac46a4e06fe4cfd6aa975c08e8357e2454ef2863fdac63015e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0846236-b8f5-443d-88cb-eed5107f3776.exe
Filesize
237KB

MD5
75d3859dfcf940cc1da679fc66e9b7e1

SHA1
343e5170eadfc2a3706bab50b422fa4d8103286f

SHA256
d5c9c960a1bc89923c8ec30aebd6fb9389e1cc8937540c2284d5344a967465f6

SHA512
1f825f829f055bf2f63243353a83834e0109b7f696a067ca9530bcf83db4697ecc6e353c4602a371a0bc7a514e42bd3720c128ac797444bf1eac6d859c842d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp782D.tmp
Filesize
1KB

MD5
9625628605e5d7538b8615e3c2b10071

SHA1
08670cd151b1a3302d914dc3bbf108155a166031

SHA256
14adb011ea3a030f6dad4991992627955a79768ddef9c6f88694813893829b74

SHA512
b69ef4c2731aa6951b964965478f727dce9b33ba1f536c7964e1279e1f53e3c79fd33906ddf69d15ef84d5ef71b09660781aaa08953d842cc651b182dd84356f

Download Submit
memory/1516-29-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-106-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmp

Filesize
64KB

Download
memory/1516-30-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-3-0x00007FF811BAD000-0x00007FF811BAE000-memory.dmp

Filesize
4KB

Download
memory/1516-4-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmp

Filesize
64KB

Download
memory/1516-5-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmp

Filesize
64KB

Download
memory/1516-6-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-7-0x00007FF7CF6E0000-0x00007FF7CF6F0000-memory.dmp

Filesize
64KB

Download
memory/1516-9-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-8-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-10-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-11-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-12-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-17-0x00007FF7CF6E0000-0x00007FF7CF6F0000-memory.dmp

Filesize
64KB

Download
memory/1516-15-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-16-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-20-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-19-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-18-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-21-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-14-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-13-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-24-0x0000027A514A0000-0x0000027A51589000-memory.dmp

Filesize
932KB

Download
memory/1516-28-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-0-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmp

Filesize
64KB

Download
memory/1516-31-0x0000027A6AE00000-0x0000027A6AF84000-memory.dmp

Filesize
1.5MB

Download
memory/1516-1-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmp

Filesize
64KB

Download
memory/1516-2-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmp

Filesize
64KB

Download
memory/1516-91-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-32-0x0000027A6ABE0000-0x0000027A6AC1C000-memory.dmp

Filesize
240KB

Download
memory/1516-25-0x0000027A52A00000-0x0000027A52A14000-memory.dmp

Filesize
80KB

Download
memory/1516-33-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-35-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-34-0x0000027A6AFC0000-0x0000027A6B006000-memory.dmp

Filesize
280KB

Download
memory/1516-109-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-27-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-108-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmp

Filesize
64KB

Download
memory/1516-107-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmp

Filesize
64KB

Download
memory/1516-105-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmp

Filesize
64KB

Download
memory/1516-92-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-26-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-81-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-82-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/1516-90-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/2696-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3680-53-0x0000000005870000-0x00000000058AE000-memory.dmp

Filesize
248KB

Download
memory/3680-54-0x000000000E500000-0x000000000E59C000-memory.dmp

Filesize
624KB

Download
memory/3680-52-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/3680-51-0x00000000031D0000-0x00000000031D6000-memory.dmp

Filesize
24KB

Download
memory/3680-49-0x00007FF811B10000-0x00007FF811D05000-memory.dmp

Filesize
2.0MB

Download
memory/3680-50-0x0000000000E30000-0x0000000000E74000-memory.dmp

Filesize
272KB

Download
memory/3680-55-0x000000000EB50000-0x000000000F0F4000-memory.dmp

Filesize
5.6MB

Download
memory/3680-56-0x000000000E5A0000-0x000000000E632000-memory.dmp

Filesize
584KB

Download
memory/3680-57-0x0000000003190000-0x0000000003196000-memory.dmp

Filesize
24KB

Download

description	pid	process	target process
PID 1516 wrote to memory of 3680	1516	EXCEL.EXE	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 1516 wrote to memory of 3680	1516	EXCEL.EXE	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 1516 wrote to memory of 3680	1516	EXCEL.EXE	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3680 wrote to memory of 3956	3680	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3680 wrote to memory of 3956	3680	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3680 wrote to memory of 3956	3680	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3680 wrote to memory of 3956	3680	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3680 wrote to memory of 3956	3680	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3680 wrote to memory of 3956	3680	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3680 wrote to memory of 3956	3680	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3680 wrote to memory of 3956	3680	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3680 wrote to memory of 2696	3680	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3680 wrote to memory of 2696	3680	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3680 wrote to memory of 2696	3680	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3680 wrote to memory of 2696	3680	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3680 wrote to memory of 2696	3680	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3680 wrote to memory of 2696	3680	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3680 wrote to memory of 2696	3680	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3680 wrote to memory of 2696	3680	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 2696 wrote to memory of 3224	2696	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 2696 wrote to memory of 3224	2696	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 2696 wrote to memory of 3224	2696	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3224 wrote to memory of 3160	3224	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3224 wrote to memory of 3160	3224	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3224 wrote to memory of 3160	3224	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3224 wrote to memory of 3160	3224	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3224 wrote to memory of 3160	3224	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3224 wrote to memory of 3160	3224	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3224 wrote to memory of 3160	3224	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3224 wrote to memory of 3160	3224	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3224 wrote to memory of 3040	3224	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3224 wrote to memory of 3040	3224	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3224 wrote to memory of 3040	3224	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3224 wrote to memory of 3040	3224	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3224 wrote to memory of 3040	3224	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3224 wrote to memory of 3040	3224	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3224 wrote to memory of 3040	3224	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3224 wrote to memory of 3040	3224	c0846236-b8f5-443d-88cb-eed5107f3776.exe	c0846236-b8f5-443d-88cb-eed5107f3776.exe
PID 3160 wrote to memory of 3888	3160	c0846236-b8f5-443d-88cb-eed5107f3776.exe	schtasks.exe
PID 3160 wrote to memory of 3888	3160	c0846236-b8f5-443d-88cb-eed5107f3776.exe	schtasks.exe
PID 3160 wrote to memory of 3888	3160	c0846236-b8f5-443d-88cb-eed5107f3776.exe	schtasks.exe

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads