xenorat | 7b38251641313fb55b8fb461accb8af284d8c2ec11c5da53b306a0e7b3271cdd

General

Target

ESTADODECUENTA.xll
Size

820KB
MD5

a619cded29da7704aed4a84f24da47b9
SHA1

16bee7cb5587cd14a5937f9f7bc32e6e065ee2fe
SHA256

7b38251641313fb55b8fb461accb8af284d8c2ec11c5da53b306a0e7b3271cdd
SHA512

148b07b8f1b0668e71ab46f15fe7ee41b69c88bb86543f2def6f7ffa3614d7d61268d5450c0cfe7535f8900d86074143ad6cecb5b98b6c7d9bbd64c8bc6656c0
SSDEEP

12288:1G1N4HkcgMsiOd58bzbBSre6Q0uqZzD1reWabd/dbNZEEx/DLn0vkYHipwyA:1oOOMX1K+QHT+d9NZdxYHip

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Wolid_rat_nd8889g

Attributes

delay
60000
install_path
appdata
port
1279
startup_name
qns

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe

Executes dropped EXE 8 IoCs

Processes:

9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe

pid	process
4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
1932	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
3688	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
3464	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
4168	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
816	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
552	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe

Loads dropped DLL 2 IoCs

Processes:

EXCEL.EXE

pid process

4944 EXCEL.EXE
4944 EXCEL.EXE

pid	process
4944	EXCEL.EXE
4944	EXCEL.EXE

Suspicious use of SetThreadContext 6 IoCs

Processes:

9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe

description	pid	process	target process
PID 4312 set thread context of 1932	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 set thread context of 3464	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 set thread context of 3688	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 set thread context of 4168	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 set thread context of 816	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 set thread context of 552	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3880 schtasks.exe

pid	process
3880	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4944 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

EXCEL.EXE

pid process

4944 EXCEL.EXE

pid	process
4944	EXCEL.EXE

pid	process
4944	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

EXCEL.EXE9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe

description	pid	process
Token: SeDebugPrivilege	4944	EXCEL.EXE
Token: SeDebugPrivilege	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
Token: SeDebugPrivilege	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

4944 EXCEL.EXE
4944 EXCEL.EXE
Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

EXCEL.EXE

pid process

4944 EXCEL.EXE
4944 EXCEL.EXE
4944 EXCEL.EXE
4944 EXCEL.EXE
4944 EXCEL.EXE
4944 EXCEL.EXE
4944 EXCEL.EXE
4944 EXCEL.EXE
4944 EXCEL.EXE
4944 EXCEL.EXE

pid	process
4944	EXCEL.EXE
4944	EXCEL.EXE

pid	process
4944	EXCEL.EXE
4944	EXCEL.EXE
4944	EXCEL.EXE
4944	EXCEL.EXE
4944	EXCEL.EXE
4944	EXCEL.EXE
4944	EXCEL.EXE
4944	EXCEL.EXE
4944	EXCEL.EXE
4944	EXCEL.EXE

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

EXCEL.EXE9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ESTADODECUENTA.xll"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4944

C:\Users\Admin\AppData\Local\Temp\9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
"C:\Users\Admin\AppData\Local\Temp\9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4312

C:\Users\Admin\AppData\Local\Temp\9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
C:\Users\Admin\AppData\Local\Temp\9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Roaming\XenoManager\9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208

C:\Users\Admin\AppData\Roaming\XenoManager\9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
C:\Users\Admin\AppData\Roaming\XenoManager\9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
5⤵
- Executes dropped EXE
PID:4168

C:\Users\Admin\AppData\Roaming\XenoManager\9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
C:\Users\Admin\AppData\Roaming\XenoManager\9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
5⤵
- Executes dropped EXE
PID:816

C:\Users\Admin\AppData\Roaming\XenoManager\9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
C:\Users\Admin\AppData\Roaming\XenoManager\9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
5⤵
- Executes dropped EXE
PID:552

C:\Users\Admin\AppData\Local\Temp\9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
C:\Users\Admin\AppData\Local\Temp\9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "qns" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5A9E.tmp" /F
4⤵
- Creates scheduled task(s)
PID:3880

C:\Users\Admin\AppData\Local\Temp\9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
C:\Users\Admin\AppData\Local\Temp\9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
3⤵
- Executes dropped EXE
PID:3688

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe.log
Filesize
522B

MD5
8334a471a4b492ece225b471b8ad2fc8

SHA1
1cb24640f32d23e8f7800bd0511b7b9c3011d992

SHA256
5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169

SHA512
56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
Filesize
233KB

MD5
025593cacb392aadf7266febcb9f700a

SHA1
602a4fcbbdaf682dc6311dc72468a00eb148ca86

SHA256
6b09a61d15fd9835db561b9f7571c714333a071cce0facd8ac3dc39289ef8998

SHA512
8e5c571c4905b418446cea26d8ef978706d1deb209227c602b8dbc5e9b9d23379bf42169887ee81dd287b9c07e43df733ffa7a72e4e279f9dfcec490710ed947

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESTADODECUENTA.xll
Filesize
820KB

MD5
a619cded29da7704aed4a84f24da47b9

SHA1
16bee7cb5587cd14a5937f9f7bc32e6e065ee2fe

SHA256
7b38251641313fb55b8fb461accb8af284d8c2ec11c5da53b306a0e7b3271cdd

SHA512
148b07b8f1b0668e71ab46f15fe7ee41b69c88bb86543f2def6f7ffa3614d7d61268d5450c0cfe7535f8900d86074143ad6cecb5b98b6c7d9bbd64c8bc6656c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5A9E.tmp
Filesize
1KB

MD5
e5dff63a5c1102a0b1c91318fca7f1ac

SHA1
48ab5d52e42b663625a31d3a7705976b085ea4d4

SHA256
ae8c378e12b05106cc7a6b022aa7f72aea70011315518df01eb5aa00db0e5fb4

SHA512
74784096e74e2e3e07fd7995a13633761509310dfc50ab5877a9d773db8a44231a2152f99f2376a8ab4071640b8197607d6484361c6cecea54049fbb9aaea210

Download Submit
memory/1932-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4312-55-0x00000000048B0000-0x00000000048B6000-memory.dmp

Filesize
24KB

Download
memory/4312-54-0x000000000DAD0000-0x000000000DB6C000-memory.dmp

Filesize
624KB

Download
memory/4312-53-0x000000000D9F0000-0x000000000DA2E000-memory.dmp

Filesize
248KB

Download
memory/4312-52-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4312-51-0x0000000004F40000-0x0000000004F46000-memory.dmp

Filesize
24KB

Download
memory/4312-50-0x00000000004D0000-0x0000000000510000-memory.dmp

Filesize
256KB

Download
memory/4312-49-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-18-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-11-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-0-0x00007FFCDDD70000-0x00007FFCDDD80000-memory.dmp

Filesize
64KB

Download
memory/4944-20-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-17-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-16-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-15-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-13-0x00007FFCDBBB0000-0x00007FFCDBBC0000-memory.dmp

Filesize
64KB

Download
memory/4944-12-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-14-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-23-0x000001AB91E40000-0x000001AB91F26000-memory.dmp

Filesize
920KB

Download
memory/4944-24-0x000001AB93410000-0x000001AB93424000-memory.dmp

Filesize
80KB

Download
memory/4944-25-0x000001AB93410000-0x000001AB93424000-memory.dmp

Filesize
80KB

Download
memory/4944-26-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-28-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-30-0x000001ABAB780000-0x000001ABAB904000-memory.dmp

Filesize
1.5MB

Download
memory/4944-29-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-27-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-32-0x000001AB93570000-0x000001AB935AC000-memory.dmp

Filesize
240KB

Download
memory/4944-31-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-33-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-34-0x000001ABAB980000-0x000001ABAB9C4000-memory.dmp

Filesize
272KB

Download
memory/4944-35-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-19-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-10-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-9-0x00007FFCDBBB0000-0x00007FFCDBBC0000-memory.dmp

Filesize
64KB

Download
memory/4944-7-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-8-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-1-0x00007FFCDDD70000-0x00007FFCDDD80000-memory.dmp

Filesize
64KB

Download
memory/4944-5-0x00007FFD1DD8D000-0x00007FFD1DD8E000-memory.dmp

Filesize
4KB

Download
memory/4944-6-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-3-0x00007FFCDDD70000-0x00007FFCDDD80000-memory.dmp

Filesize
64KB

Download
memory/4944-4-0x00007FFCDDD70000-0x00007FFCDDD80000-memory.dmp

Filesize
64KB

Download
memory/4944-81-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-82-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-90-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-91-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-92-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-93-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download
memory/4944-2-0x00007FFCDDD70000-0x00007FFCDDD80000-memory.dmp

Filesize
64KB

Download
memory/4944-109-0x00007FFCDDD70000-0x00007FFCDDD80000-memory.dmp

Filesize
64KB

Download
memory/4944-110-0x00007FFCDDD70000-0x00007FFCDDD80000-memory.dmp

Filesize
64KB

Download
memory/4944-108-0x00007FFCDDD70000-0x00007FFCDDD80000-memory.dmp

Filesize
64KB

Download
memory/4944-111-0x00007FFCDDD70000-0x00007FFCDDD80000-memory.dmp

Filesize
64KB

Download
memory/4944-112-0x00007FFD1DCF0000-0x00007FFD1DEE5000-memory.dmp

Filesize
2.0MB

Download

description	pid	process	target process
PID 4944 wrote to memory of 4312	4944	EXCEL.EXE	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4944 wrote to memory of 4312	4944	EXCEL.EXE	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4944 wrote to memory of 4312	4944	EXCEL.EXE	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 1932	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 1932	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 1932	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 1932	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 1932	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 1932	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 1932	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 1932	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 3464	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 3464	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 3464	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 3464	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 3464	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 3464	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 3464	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 3464	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 3688	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 3688	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 3688	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 3688	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 3688	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 3688	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 3688	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 4312 wrote to memory of 3688	4312	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 1932 wrote to memory of 208	1932	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 1932 wrote to memory of 208	1932	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 1932 wrote to memory of 208	1932	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 4168	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 4168	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 4168	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 4168	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 4168	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 4168	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 4168	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 4168	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 816	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 816	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 816	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 816	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 816	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 816	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 816	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 816	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 552	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 552	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 552	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 552	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 552	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 552	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 552	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 208 wrote to memory of 552	208	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe
PID 3464 wrote to memory of 3880	3464	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	schtasks.exe
PID 3464 wrote to memory of 3880	3464	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	schtasks.exe
PID 3464 wrote to memory of 3880	3464	9a19be6c-2ec8-4d65-919a-69e8d2416acb.exe	schtasks.exe

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads