xenorat | 2c6977ae3de5f4439b178da21bd279e3181dfc394eaad65ed1b006dfb3b25d5b

General

Target

2c6977ae3de5f4439b178da21bd279e3181dfc394eaad65ed1b006dfb3b25d5b.xll
Size

832KB
MD5

8d31657e3cc733753f129c0a8ab9dd35
SHA1

c5d9d5ddba7c1d9ee76c6ee21a5f6dcad1dbe82e
SHA256

2c6977ae3de5f4439b178da21bd279e3181dfc394eaad65ed1b006dfb3b25d5b
SHA512

381adba099f21f6b0ffa1ca70709ea5d3c3d4e7f87dc205b14e947c0c2353988d20c9fcf7732ac46a4e06fe4cfd6aa975c08e8357e2454ef2863fdac63015e34
SSDEEP

12288:jG1N4HkcgMsiOd58bzbBSreWQ0uqZzD1reWabd/aEce45oJNb1qX90YdquL:joOOMX1m+QHT+dCEcelJJ1qtHPL

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

xenorat

C2

salutoepiesircam.sytes.net

Mutex

Xeno_rat_nd8911d

Attributes

delay
5000
install_path
appdata
port
4450
startup_name
setting

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Detects executables packed with ConfuserEx Mod 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1596-40-0x000001C3A7820000-0x000001C3A7866000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
C:\Users\Admin\AppData\Local\Temp\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/memory/624-59-0x0000000000F30000-0x0000000000F74000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/memory/624-64-0x0000000005B90000-0x0000000005BCE000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe

Executes dropped EXE 6 IoCs

Processes:

46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe

pid	process
624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
4828	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
3520	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
2132	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
1008	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe

Loads dropped DLL 2 IoCs

Processes:

EXCEL.EXE

pid process

1596 EXCEL.EXE
1596 EXCEL.EXE

Suspicious use of SetThreadContext 4 IoCs

Processes:

46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe

description	pid	process	target process
PID 624 set thread context of 4828	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 624 set thread context of 3520	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 1096 set thread context of 2132	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 1096 set thread context of 1008	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4948 2132 WerFault.exe 46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe

pid	pid_target	process	target process
4948	2132	WerFault.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3532 schtasks.exe

pid	process
3532	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1596 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

EXCEL.EXE

pid process

1596 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

EXCEL.EXE46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe

description	pid	process
Token: SeDebugPrivilege	1596	EXCEL.EXE
Token: SeDebugPrivilege	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
Token: SeDebugPrivilege	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

1596 EXCEL.EXE
1596 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
1596	EXCEL.EXE
1596	EXCEL.EXE
1596	EXCEL.EXE
1596	EXCEL.EXE
1596	EXCEL.EXE
1596	EXCEL.EXE
1596	EXCEL.EXE
1596	EXCEL.EXE
1596	EXCEL.EXE
1596	EXCEL.EXE
1596	EXCEL.EXE
1596	EXCEL.EXE

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

EXCEL.EXE46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\2c6977ae3de5f4439b178da21bd279e3181dfc394eaad65ed1b006dfb3b25d5b.xll"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1596

C:\Users\Admin\AppData\Local\Temp\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
"C:\Users\Admin\AppData\Local\Temp\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Local\Temp\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
C:\Users\Admin\AppData\Local\Temp\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828

C:\Users\Admin\AppData\Roaming\XenoManager\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Roaming\XenoManager\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
C:\Users\Admin\AppData\Roaming\XenoManager\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
5⤵
- Executes dropped EXE
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 80
6⤵
- Program crash
PID:4948

C:\Users\Admin\AppData\Roaming\XenoManager\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
C:\Users\Admin\AppData\Roaming\XenoManager\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
5⤵
- Executes dropped EXE
PID:1008

C:\Users\Admin\AppData\Local\Temp\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
C:\Users\Admin\AppData\Local\Temp\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "setting" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7143.tmp" /F
4⤵
- Creates scheduled task(s)
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2132 -ip 2132
1⤵
PID:4400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3352 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:1664

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe.log
Filesize
706B

MD5
d95c58e609838928f0f49837cab7dfd2

SHA1
55e7139a1e3899195b92ed8771d1ca2c7d53c916

SHA256
0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

SHA512
405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c6977ae3de5f4439b178da21bd279e3181dfc394eaad65ed1b006dfb3b25d5b.xll
Filesize
832KB

MD5
8d31657e3cc733753f129c0a8ab9dd35

SHA1
c5d9d5ddba7c1d9ee76c6ee21a5f6dcad1dbe82e

SHA256
2c6977ae3de5f4439b178da21bd279e3181dfc394eaad65ed1b006dfb3b25d5b

SHA512
381adba099f21f6b0ffa1ca70709ea5d3c3d4e7f87dc205b14e947c0c2353988d20c9fcf7732ac46a4e06fe4cfd6aa975c08e8357e2454ef2863fdac63015e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
Filesize
237KB

MD5
75d3859dfcf940cc1da679fc66e9b7e1

SHA1
343e5170eadfc2a3706bab50b422fa4d8103286f

SHA256
d5c9c960a1bc89923c8ec30aebd6fb9389e1cc8937540c2284d5344a967465f6

SHA512
1f825f829f055bf2f63243353a83834e0109b7f696a067ca9530bcf83db4697ecc6e353c4602a371a0bc7a514e42bd3720c128ac797444bf1eac6d859c842d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7143.tmp
Filesize
1KB

MD5
a873253bd0d9da813b10d56be5fce07f

SHA1
e1e52e6e2fc86b19a18fcc7322ad633ad4e9d434

SHA256
f13efd66db3c46de582a4c2c09373679bcc87c06e644afa8bd708515d0ed8239

SHA512
2000d551798fad98625b562734d2a7354a246537cd3aee4ea9c60a124b92c4faf00661b5eba2eb3a1c31d610e088e33dc499f9529200ef956fbc5c463828c948

Download Submit
memory/624-65-0x000000000E5A0000-0x000000000E63C000-memory.dmp

Filesize
624KB

Download
memory/624-66-0x000000000EBF0000-0x000000000F194000-memory.dmp

Filesize
5.6MB

Download
memory/624-67-0x000000000E6E0000-0x000000000E772000-memory.dmp

Filesize
584KB

Download
memory/624-64-0x0000000005B90000-0x0000000005BCE000-memory.dmp

Filesize
248KB

Download
memory/624-63-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/624-61-0x00000000032B0000-0x00000000032B6000-memory.dmp

Filesize
24KB

Download
memory/624-59-0x0000000000F30000-0x0000000000F74000-memory.dmp

Filesize
272KB

Download
memory/624-58-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/624-68-0x0000000005480000-0x0000000005486000-memory.dmp

Filesize
24KB

Download
memory/1596-13-0x00007FF87F9A0000-0x00007FF87F9B0000-memory.dmp

Filesize
64KB

Download
memory/1596-11-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-0-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

Filesize
64KB

Download
memory/1596-23-0x000001C38BDB0000-0x000001C38BE99000-memory.dmp

Filesize
932KB

Download
memory/1596-24-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-25-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-26-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-27-0x000001C38E3C0000-0x000001C38E3D4000-memory.dmp

Filesize
80KB

Download
memory/1596-28-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-29-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-30-0x000001C38E3C0000-0x000001C38E3D4000-memory.dmp

Filesize
80KB

Download
memory/1596-31-0x000001C3A65C0000-0x000001C3A6744000-memory.dmp

Filesize
1.5MB

Download
memory/1596-32-0x000001C38E400000-0x000001C38E43C000-memory.dmp

Filesize
240KB

Download
memory/1596-33-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-34-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-35-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-36-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-37-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-38-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-39-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-40-0x000001C3A7820000-0x000001C3A7866000-memory.dmp

Filesize
280KB

Download
memory/1596-12-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-57-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-15-0x00007FF87F9A0000-0x00007FF87F9B0000-memory.dmp

Filesize
64KB

Download
memory/1596-10-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-60-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-9-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-62-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-8-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-6-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-7-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-5-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

Filesize
64KB

Download
memory/1596-4-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

Filesize
64KB

Download
memory/1596-3-0x00007FF8C1AAD000-0x00007FF8C1AAE000-memory.dmp

Filesize
4KB

Download
memory/1596-115-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-1-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

Filesize
64KB

Download
memory/1596-90-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-2-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

Filesize
64KB

Download
memory/1596-93-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-94-0x00007FF8C1A10000-0x00007FF8C1C05000-memory.dmp

Filesize
2.0MB

Download
memory/1596-111-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

Filesize
64KB

Download
memory/1596-112-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

Filesize
64KB

Download
memory/1596-114-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

Filesize
64KB

Download
memory/1596-113-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

Filesize
64KB

Download
memory/4828-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

description	pid	process	target process
PID 1596 wrote to memory of 624	1596	EXCEL.EXE	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 1596 wrote to memory of 624	1596	EXCEL.EXE	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 1596 wrote to memory of 624	1596	EXCEL.EXE	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 624 wrote to memory of 4828	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 624 wrote to memory of 4828	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 624 wrote to memory of 4828	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 624 wrote to memory of 4828	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 624 wrote to memory of 4828	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 624 wrote to memory of 4828	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 624 wrote to memory of 4828	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 624 wrote to memory of 4828	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 624 wrote to memory of 3520	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 624 wrote to memory of 3520	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 624 wrote to memory of 3520	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 624 wrote to memory of 3520	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 624 wrote to memory of 3520	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 624 wrote to memory of 3520	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 624 wrote to memory of 3520	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 624 wrote to memory of 3520	624	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 4828 wrote to memory of 1096	4828	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 4828 wrote to memory of 1096	4828	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 4828 wrote to memory of 1096	4828	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 1096 wrote to memory of 2132	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 1096 wrote to memory of 2132	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 1096 wrote to memory of 2132	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 1096 wrote to memory of 2132	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 1096 wrote to memory of 2132	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 1096 wrote to memory of 2132	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 1096 wrote to memory of 2132	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 1096 wrote to memory of 2132	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 1096 wrote to memory of 1008	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 1096 wrote to memory of 1008	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 1096 wrote to memory of 1008	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 1096 wrote to memory of 1008	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 1096 wrote to memory of 1008	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 1096 wrote to memory of 1008	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 1096 wrote to memory of 1008	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 1096 wrote to memory of 1008	1096	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe
PID 3520 wrote to memory of 3532	3520	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	schtasks.exe
PID 3520 wrote to memory of 3532	3520	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	schtasks.exe
PID 3520 wrote to memory of 3532	3520	46d3a0fc-a22d-4718-a64f-6bf550b87b0e.exe	schtasks.exe

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads