xenorat | 639ef6c263e48a4e6d3c2ffe628c85351d51df4a58955d0fdf64a8764812cca0

General

Target

Odeme_Takvimi_Ocak-2024.xll
Size

832KB
MD5

a18a3a3e81558c30701a5d28fbea50db
SHA1

044a8edc053be2fa5dff2565b4f08906c51f5a91
SHA256

639ef6c263e48a4e6d3c2ffe628c85351d51df4a58955d0fdf64a8764812cca0
SHA512

d6758fefe0955c5be4fa9dada657e61db294b6039d4be1781cc474ba001bbcd131c49102e26fa2f699c77084548c60b29c9dc15a8ab42cef10f779b243600db6
SSDEEP

12288:7G1N4HkcgMsiOd58bzbBSreqQ0uqZzD1reWabd/50+m70avcUthVLFH1Lo:7oOOMX16+QHT+dB0+m70qve

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

xenorat

C2

salutoepiesircam.sytes.net

Mutex

Xeno_rat_nd8911d

Attributes

delay
5000
install_path
appdata
port
4450
startup_name
setting

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe

Executes dropped EXE 6 IoCs

Processes:

ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exeebfba3a0-bde6-41e2-8a88-83f66a4e141b.exeebfba3a0-bde6-41e2-8a88-83f66a4e141b.exeebfba3a0-bde6-41e2-8a88-83f66a4e141b.exeebfba3a0-bde6-41e2-8a88-83f66a4e141b.exeebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe

pid	process
3068	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
1148	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
4264	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
4688	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
4348	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
3508	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe

Loads dropped DLL 2 IoCs

Processes:

EXCEL.EXE

pid process

2560 EXCEL.EXE
2560 EXCEL.EXE

pid	process
2560	EXCEL.EXE
2560	EXCEL.EXE

Suspicious use of SetThreadContext 4 IoCs

Processes:

ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exeebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe

description	pid	process	target process
PID 3068 set thread context of 1148	3068	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 3068 set thread context of 4264	3068	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 4688 set thread context of 4348	4688	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 4688 set thread context of 3508	4688	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5076 4264 WerFault.exe ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe

pid	pid_target	process	target process
5076	4264	WerFault.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5116 schtasks.exe

pid	process
5116	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2560 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

EXCEL.EXE

pid process

2560 EXCEL.EXE

pid	process
2560	EXCEL.EXE

pid	process
2560	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

EXCEL.EXEebfba3a0-bde6-41e2-8a88-83f66a4e141b.exeebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe

description	pid	process
Token: SeDebugPrivilege	2560	EXCEL.EXE
Token: SeDebugPrivilege	3068	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
Token: SeDebugPrivilege	4688	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

2560 EXCEL.EXE
2560 EXCEL.EXE
Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

EXCEL.EXE

pid process

2560 EXCEL.EXE
2560 EXCEL.EXE
2560 EXCEL.EXE
2560 EXCEL.EXE
2560 EXCEL.EXE
2560 EXCEL.EXE
2560 EXCEL.EXE
2560 EXCEL.EXE
2560 EXCEL.EXE
2560 EXCEL.EXE

pid	process
2560	EXCEL.EXE
2560	EXCEL.EXE

pid	process
2560	EXCEL.EXE
2560	EXCEL.EXE
2560	EXCEL.EXE
2560	EXCEL.EXE
2560	EXCEL.EXE
2560	EXCEL.EXE
2560	EXCEL.EXE
2560	EXCEL.EXE
2560	EXCEL.EXE
2560	EXCEL.EXE

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

EXCEL.EXEebfba3a0-bde6-41e2-8a88-83f66a4e141b.exeebfba3a0-bde6-41e2-8a88-83f66a4e141b.exeebfba3a0-bde6-41e2-8a88-83f66a4e141b.exeebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Odeme_Takvimi_Ocak-2024.xll"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560

C:\Users\Admin\AppData\Local\Temp\ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
"C:\Users\Admin\AppData\Local\Temp\ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
C:\Users\Admin\AppData\Local\Temp\ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\AppData\Roaming\XenoManager\ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688

C:\Users\Admin\AppData\Roaming\XenoManager\ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
C:\Users\Admin\AppData\Roaming\XenoManager\ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "setting" /XML "C:\Users\Admin\AppData\Local\Temp\tmp789B.tmp" /F
6⤵
- Creates scheduled task(s)
PID:5116

C:\Users\Admin\AppData\Roaming\XenoManager\ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
C:\Users\Admin\AppData\Roaming\XenoManager\ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
5⤵
- Executes dropped EXE
PID:3508

C:\Users\Admin\AppData\Local\Temp\ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
C:\Users\Admin\AppData\Local\Temp\ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
3⤵
- Executes dropped EXE
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 80
4⤵
- Program crash
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4264 -ip 4264
1⤵
PID:3060

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe.log
Filesize
706B

MD5
d95c58e609838928f0f49837cab7dfd2

SHA1
55e7139a1e3899195b92ed8771d1ca2c7d53c916

SHA256
0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

SHA512
405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Odeme_Takvimi_Ocak-2024.xll
Filesize
832KB

MD5
a18a3a3e81558c30701a5d28fbea50db

SHA1
044a8edc053be2fa5dff2565b4f08906c51f5a91

SHA256
639ef6c263e48a4e6d3c2ffe628c85351d51df4a58955d0fdf64a8764812cca0

SHA512
d6758fefe0955c5be4fa9dada657e61db294b6039d4be1781cc474ba001bbcd131c49102e26fa2f699c77084548c60b29c9dc15a8ab42cef10f779b243600db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
Filesize
237KB

MD5
63832573fe21731013ba3c4b419682f7

SHA1
9ebb4b8afb218d83661ccfc9ffc1a3e7e4dad0b9

SHA256
2fc5d95990c8cc587e5788c21c20dede449f4992c80a5009553f39fdf29c91bb

SHA512
50e5429ff0f5005a825584bd50c2ff09a06a87e621ff552ffdea284d3d6493f29f85ae3c401f958f6a45389e7a7180e7f7ec6f37b8e4ded578f75d4988dbc2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp789B.tmp
Filesize
1KB

MD5
a59f7f2f3945ff192c56f948457a8746

SHA1
72658189330a7b67065a5d807b13bec418b3f459

SHA256
3422055d35049518d8c4b015eb93655c182429de18c73aa65671eada33a98365

SHA512
fae3d066aca64e2ae444dfa4e0260b3c578305416d18a59624724276ec0adcde32ada8ffb5f98a6d8cef945f84fbc63170c1fbc0e9c11212ff1c573a08304a7b

Download Submit
memory/1148-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2560-29-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-109-0x00007FF9D5B50000-0x00007FF9D5B60000-memory.dmp

Filesize
64KB

Download
memory/2560-8-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-9-0x00007FF9D3810000-0x00007FF9D3820000-memory.dmp

Filesize
64KB

Download
memory/2560-7-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-10-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-12-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-11-0x00007FF9D3810000-0x00007FF9D3820000-memory.dmp

Filesize
64KB

Download
memory/2560-16-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-17-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-15-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-21-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-20-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-19-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-18-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-14-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-13-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-5-0x00007FFA15B6D000-0x00007FFA15B6E000-memory.dmp

Filesize
4KB

Download
memory/2560-24-0x00000221B8DA0000-0x00000221B8E89000-memory.dmp

Filesize
932KB

Download
memory/2560-26-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-28-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-30-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-31-0x00000221D5430000-0x00000221D55B4000-memory.dmp

Filesize
1.5MB

Download
memory/2560-0-0x00007FF9D5B50000-0x00007FF9D5B60000-memory.dmp

Filesize
64KB

Download
memory/2560-33-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-32-0x00000221D5220000-0x00000221D525C000-memory.dmp

Filesize
240KB

Download
memory/2560-27-0x00000221BCF40000-0x00000221BCF54000-memory.dmp

Filesize
80KB

Download
memory/2560-6-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-93-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-3-0x00007FF9D5B50000-0x00007FF9D5B60000-memory.dmp

Filesize
64KB

Download
memory/2560-110-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-108-0x00007FF9D5B50000-0x00007FF9D5B60000-memory.dmp

Filesize
64KB

Download
memory/2560-34-0x00000221D52A0000-0x00000221D52E6000-memory.dmp

Filesize
280KB

Download
memory/2560-107-0x00007FF9D5B50000-0x00007FF9D5B60000-memory.dmp

Filesize
64KB

Download
memory/2560-106-0x00007FF9D5B50000-0x00007FF9D5B60000-memory.dmp

Filesize
64KB

Download
memory/2560-35-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-92-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-91-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-4-0x00007FF9D5B50000-0x00007FF9D5B60000-memory.dmp

Filesize
64KB

Download
memory/2560-90-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-1-0x00007FF9D5B50000-0x00007FF9D5B60000-memory.dmp

Filesize
64KB

Download
memory/2560-2-0x00007FF9D5B50000-0x00007FF9D5B60000-memory.dmp

Filesize
64KB

Download
memory/2560-86-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-87-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3068-68-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3068-61-0x0000000005660000-0x0000000005666000-memory.dmp

Filesize
24KB

Download
memory/3068-60-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/3068-59-0x0000000005CE0000-0x0000000006284000-memory.dmp

Filesize
5.6MB

Download
memory/3068-58-0x0000000005690000-0x000000000572C000-memory.dmp

Filesize
624KB

Download
memory/3068-57-0x00000000055B0000-0x00000000055EE000-memory.dmp

Filesize
248KB

Download
memory/3068-53-0x0000000005340000-0x0000000005346000-memory.dmp

Filesize
24KB

Download
memory/3068-52-0x0000000000B40000-0x0000000000B84000-memory.dmp

Filesize
272KB

Download
memory/3068-51-0x00007FFA15AD0000-0x00007FFA15CC5000-memory.dmp

Filesize
2.0MB

Download

description	pid	process	target process
PID 2560 wrote to memory of 3068	2560	EXCEL.EXE	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 2560 wrote to memory of 3068	2560	EXCEL.EXE	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 2560 wrote to memory of 3068	2560	EXCEL.EXE	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 3068 wrote to memory of 1148	3068	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 3068 wrote to memory of 1148	3068	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 3068 wrote to memory of 1148	3068	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 3068 wrote to memory of 1148	3068	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 3068 wrote to memory of 1148	3068	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 3068 wrote to memory of 1148	3068	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 3068 wrote to memory of 1148	3068	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 3068 wrote to memory of 1148	3068	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 3068 wrote to memory of 4264	3068	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 3068 wrote to memory of 4264	3068	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 3068 wrote to memory of 4264	3068	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 3068 wrote to memory of 4264	3068	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 3068 wrote to memory of 4264	3068	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 3068 wrote to memory of 4264	3068	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 3068 wrote to memory of 4264	3068	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 3068 wrote to memory of 4264	3068	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 1148 wrote to memory of 4688	1148	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 1148 wrote to memory of 4688	1148	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 1148 wrote to memory of 4688	1148	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 4688 wrote to memory of 4348	4688	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 4688 wrote to memory of 4348	4688	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 4688 wrote to memory of 4348	4688	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 4688 wrote to memory of 4348	4688	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 4688 wrote to memory of 4348	4688	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 4688 wrote to memory of 4348	4688	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 4688 wrote to memory of 4348	4688	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 4688 wrote to memory of 4348	4688	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 4688 wrote to memory of 3508	4688	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 4688 wrote to memory of 3508	4688	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 4688 wrote to memory of 3508	4688	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 4688 wrote to memory of 3508	4688	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 4688 wrote to memory of 3508	4688	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 4688 wrote to memory of 3508	4688	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 4688 wrote to memory of 3508	4688	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 4688 wrote to memory of 3508	4688	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe
PID 4348 wrote to memory of 5116	4348	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	schtasks.exe
PID 4348 wrote to memory of 5116	4348	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	schtasks.exe
PID 4348 wrote to memory of 5116	4348	ebfba3a0-bde6-41e2-8a88-83f66a4e141b.exe	schtasks.exe

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads