xenorat | 2c6977ae3de5f4439b178da21bd279e3181dfc394eaad65ed1b006dfb3b25d5b

General

Target

2c6977ae3de5f4439b178da21bd279e3181dfc394eaad65ed1b006dfb3b25d5b.xll
Size

832KB
MD5

8d31657e3cc733753f129c0a8ab9dd35
SHA1

c5d9d5ddba7c1d9ee76c6ee21a5f6dcad1dbe82e
SHA256

2c6977ae3de5f4439b178da21bd279e3181dfc394eaad65ed1b006dfb3b25d5b
SHA512

381adba099f21f6b0ffa1ca70709ea5d3c3d4e7f87dc205b14e947c0c2353988d20c9fcf7732ac46a4e06fe4cfd6aa975c08e8357e2454ef2863fdac63015e34
SSDEEP

12288:jG1N4HkcgMsiOd58bzbBSreWQ0uqZzD1reWabd/aEce45oJNb1qX90YdquL:joOOMX1m+QHT+dCEcelJJ1qtHPL

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

xenorat

C2

salutoepiesircam.sytes.net

Mutex

Xeno_rat_nd8911d

Attributes

delay
5000
install_path
appdata
port
4450
startup_name
setting

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

15f51430-94b3-4965-82a8-659f8b27d2e0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	15f51430-94b3-4965-82a8-659f8b27d2e0.exe

Executes dropped EXE 6 IoCs

Processes:

15f51430-94b3-4965-82a8-659f8b27d2e0.exe15f51430-94b3-4965-82a8-659f8b27d2e0.exe15f51430-94b3-4965-82a8-659f8b27d2e0.exe15f51430-94b3-4965-82a8-659f8b27d2e0.exe15f51430-94b3-4965-82a8-659f8b27d2e0.exe15f51430-94b3-4965-82a8-659f8b27d2e0.exe

pid	process
1768	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
4248	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
548	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
2504	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
2324	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
3656	15f51430-94b3-4965-82a8-659f8b27d2e0.exe

Loads dropped DLL 2 IoCs

Processes:

EXCEL.EXE

pid process

4160 EXCEL.EXE
4160 EXCEL.EXE

pid	process
4160	EXCEL.EXE
4160	EXCEL.EXE

Suspicious use of SetThreadContext 4 IoCs

Processes:

15f51430-94b3-4965-82a8-659f8b27d2e0.exe15f51430-94b3-4965-82a8-659f8b27d2e0.exe

description	pid	process	target process
PID 1768 set thread context of 4248	1768	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 1768 set thread context of 548	1768	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 2504 set thread context of 2324	2504	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 2504 set thread context of 3656	2504	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3680 schtasks.exe

pid	process
3680	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4160 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

EXCEL.EXE

pid process

4160 EXCEL.EXE

pid	process
4160	EXCEL.EXE

pid	process
4160	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

EXCEL.EXE15f51430-94b3-4965-82a8-659f8b27d2e0.exe15f51430-94b3-4965-82a8-659f8b27d2e0.exe

description	pid	process
Token: SeDebugPrivilege	4160	EXCEL.EXE
Token: SeDebugPrivilege	1768	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
Token: SeDebugPrivilege	2504	15f51430-94b3-4965-82a8-659f8b27d2e0.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

4160 EXCEL.EXE
4160 EXCEL.EXE
Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

EXCEL.EXE

pid process

4160 EXCEL.EXE
4160 EXCEL.EXE
4160 EXCEL.EXE
4160 EXCEL.EXE
4160 EXCEL.EXE
4160 EXCEL.EXE
4160 EXCEL.EXE
4160 EXCEL.EXE
4160 EXCEL.EXE
4160 EXCEL.EXE

pid	process
4160	EXCEL.EXE
4160	EXCEL.EXE

pid	process
4160	EXCEL.EXE
4160	EXCEL.EXE
4160	EXCEL.EXE
4160	EXCEL.EXE
4160	EXCEL.EXE
4160	EXCEL.EXE
4160	EXCEL.EXE
4160	EXCEL.EXE
4160	EXCEL.EXE
4160	EXCEL.EXE

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

EXCEL.EXE15f51430-94b3-4965-82a8-659f8b27d2e0.exe15f51430-94b3-4965-82a8-659f8b27d2e0.exe15f51430-94b3-4965-82a8-659f8b27d2e0.exe15f51430-94b3-4965-82a8-659f8b27d2e0.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\2c6977ae3de5f4439b178da21bd279e3181dfc394eaad65ed1b006dfb3b25d5b.xll"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4160

C:\Users\Admin\AppData\Local\Temp\15f51430-94b3-4965-82a8-659f8b27d2e0.exe
"C:\Users\Admin\AppData\Local\Temp\15f51430-94b3-4965-82a8-659f8b27d2e0.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\15f51430-94b3-4965-82a8-659f8b27d2e0.exe
C:\Users\Admin\AppData\Local\Temp\15f51430-94b3-4965-82a8-659f8b27d2e0.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248

C:\Users\Admin\AppData\Roaming\XenoManager\15f51430-94b3-4965-82a8-659f8b27d2e0.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\15f51430-94b3-4965-82a8-659f8b27d2e0.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504

C:\Users\Admin\AppData\Roaming\XenoManager\15f51430-94b3-4965-82a8-659f8b27d2e0.exe
C:\Users\Admin\AppData\Roaming\XenoManager\15f51430-94b3-4965-82a8-659f8b27d2e0.exe
5⤵
- Executes dropped EXE
PID:2324

C:\Users\Admin\AppData\Roaming\XenoManager\15f51430-94b3-4965-82a8-659f8b27d2e0.exe
C:\Users\Admin\AppData\Roaming\XenoManager\15f51430-94b3-4965-82a8-659f8b27d2e0.exe
5⤵
- Executes dropped EXE
PID:3656

C:\Users\Admin\AppData\Local\Temp\15f51430-94b3-4965-82a8-659f8b27d2e0.exe
C:\Users\Admin\AppData\Local\Temp\15f51430-94b3-4965-82a8-659f8b27d2e0.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "setting" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEE29.tmp" /F
4⤵
- Creates scheduled task(s)
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1028,i,4778049104057176787,6631751660692402210,262144 --variations-seed-version --mojo-platform-channel-handle=3984 /prefetch:8
1⤵
PID:5040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\15f51430-94b3-4965-82a8-659f8b27d2e0.exe.log
Filesize
706B

MD5
d95c58e609838928f0f49837cab7dfd2

SHA1
55e7139a1e3899195b92ed8771d1ca2c7d53c916

SHA256
0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

SHA512
405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\15f51430-94b3-4965-82a8-659f8b27d2e0.exe
Filesize
237KB

MD5
75d3859dfcf940cc1da679fc66e9b7e1

SHA1
343e5170eadfc2a3706bab50b422fa4d8103286f

SHA256
d5c9c960a1bc89923c8ec30aebd6fb9389e1cc8937540c2284d5344a967465f6

SHA512
1f825f829f055bf2f63243353a83834e0109b7f696a067ca9530bcf83db4697ecc6e353c4602a371a0bc7a514e42bd3720c128ac797444bf1eac6d859c842d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c6977ae3de5f4439b178da21bd279e3181dfc394eaad65ed1b006dfb3b25d5b.xll
Filesize
832KB

MD5
8d31657e3cc733753f129c0a8ab9dd35

SHA1
c5d9d5ddba7c1d9ee76c6ee21a5f6dcad1dbe82e

SHA256
2c6977ae3de5f4439b178da21bd279e3181dfc394eaad65ed1b006dfb3b25d5b

SHA512
381adba099f21f6b0ffa1ca70709ea5d3c3d4e7f87dc205b14e947c0c2353988d20c9fcf7732ac46a4e06fe4cfd6aa975c08e8357e2454ef2863fdac63015e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEE29.tmp
Filesize
1KB

MD5
c5424e8baaec31074c4e7782238d9955

SHA1
9919d6a4629deeacb6a010e99b8a41a0af1d3886

SHA256
08f25d1774658cdff43bbc49fe33f00197ff385a8318e209465d1c7a33125746

SHA512
c73f208b99417ce48e7fea7b7ace7c5a515f0a61dac5cded3bbb2cb30fd46588e74371c55a02f05436962209f2f41823b8b9be5c88c85f44d9cf0abcd0907c86

Download Submit
memory/1768-57-0x00000000054B0000-0x000000000554C000-memory.dmp

Filesize
624KB

Download
memory/1768-58-0x0000000005B00000-0x00000000060A4000-memory.dmp

Filesize
5.6MB

Download
memory/1768-59-0x00000000055F0000-0x0000000005682000-memory.dmp

Filesize
584KB

Download
memory/1768-56-0x0000000005170000-0x00000000051AE000-memory.dmp

Filesize
248KB

Download
memory/1768-55-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/1768-54-0x0000000002B20000-0x0000000002B26000-memory.dmp

Filesize
24KB

Download
memory/1768-53-0x00000000007E0000-0x0000000000824000-memory.dmp

Filesize
272KB

Download
memory/1768-52-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/1768-60-0x00000000051F0000-0x00000000051F6000-memory.dmp

Filesize
24KB

Download
memory/4160-15-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-9-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-17-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-16-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-14-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-23-0x000001A0DC410000-0x000001A0DC4F9000-memory.dmp

Filesize
932KB

Download
memory/4160-13-0x00007FFB6D520000-0x00007FFB6D530000-memory.dmp

Filesize
64KB

Download
memory/4160-24-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-28-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-27-0x000001A0DC770000-0x000001A0DC784000-memory.dmp

Filesize
80KB

Download
memory/4160-30-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-29-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-31-0x000001A0DCA60000-0x000001A0DCBE4000-memory.dmp

Filesize
1.5MB

Download
memory/4160-32-0x000001A0DC950000-0x000001A0DC98C000-memory.dmp

Filesize
240KB

Download
memory/4160-26-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-25-0x000001A0DC770000-0x000001A0DC784000-memory.dmp

Filesize
80KB

Download
memory/4160-36-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-37-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-38-0x000001A0DC9D0000-0x000001A0DCA16000-memory.dmp

Filesize
280KB

Download
memory/4160-11-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-12-0x00007FFB6D520000-0x00007FFB6D530000-memory.dmp

Filesize
64KB

Download
memory/4160-3-0x00007FFBAFC8D000-0x00007FFBAFC8E000-memory.dmp

Filesize
4KB

Download
memory/4160-10-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-7-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-8-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-0-0x00007FFB6FC70000-0x00007FFB6FC80000-memory.dmp

Filesize
64KB

Download
memory/4160-6-0x00007FFB6FC70000-0x00007FFB6FC80000-memory.dmp

Filesize
64KB

Download
memory/4160-5-0x00007FFB6FC70000-0x00007FFB6FC80000-memory.dmp

Filesize
64KB

Download
memory/4160-4-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-108-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-1-0x00007FFB6FC70000-0x00007FFB6FC80000-memory.dmp

Filesize
64KB

Download
memory/4160-2-0x00007FFB6FC70000-0x00007FFB6FC80000-memory.dmp

Filesize
64KB

Download
memory/4160-84-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-85-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-88-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-89-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-90-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-91-0x00007FFBAFBF0000-0x00007FFBAFDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4160-104-0x00007FFB6FC70000-0x00007FFB6FC80000-memory.dmp

Filesize
64KB

Download
memory/4160-105-0x00007FFB6FC70000-0x00007FFB6FC80000-memory.dmp

Filesize
64KB

Download
memory/4160-107-0x00007FFB6FC70000-0x00007FFB6FC80000-memory.dmp

Filesize
64KB

Download
memory/4160-106-0x00007FFB6FC70000-0x00007FFB6FC80000-memory.dmp

Filesize
64KB

Download
memory/4248-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

description	pid	process	target process
PID 4160 wrote to memory of 1768	4160	EXCEL.EXE	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 4160 wrote to memory of 1768	4160	EXCEL.EXE	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 4160 wrote to memory of 1768	4160	EXCEL.EXE	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 1768 wrote to memory of 4248	1768	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 1768 wrote to memory of 4248	1768	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 1768 wrote to memory of 4248	1768	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 1768 wrote to memory of 4248	1768	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 1768 wrote to memory of 4248	1768	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 1768 wrote to memory of 4248	1768	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 1768 wrote to memory of 4248	1768	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 1768 wrote to memory of 4248	1768	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 1768 wrote to memory of 548	1768	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 1768 wrote to memory of 548	1768	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 1768 wrote to memory of 548	1768	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 1768 wrote to memory of 548	1768	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 1768 wrote to memory of 548	1768	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 1768 wrote to memory of 548	1768	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 1768 wrote to memory of 548	1768	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 1768 wrote to memory of 548	1768	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 4248 wrote to memory of 2504	4248	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 4248 wrote to memory of 2504	4248	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 4248 wrote to memory of 2504	4248	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 2504 wrote to memory of 2324	2504	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 2504 wrote to memory of 2324	2504	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 2504 wrote to memory of 2324	2504	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 2504 wrote to memory of 2324	2504	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 2504 wrote to memory of 2324	2504	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 2504 wrote to memory of 2324	2504	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 2504 wrote to memory of 2324	2504	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 2504 wrote to memory of 2324	2504	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 2504 wrote to memory of 3656	2504	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 2504 wrote to memory of 3656	2504	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 2504 wrote to memory of 3656	2504	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 2504 wrote to memory of 3656	2504	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 2504 wrote to memory of 3656	2504	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 2504 wrote to memory of 3656	2504	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 2504 wrote to memory of 3656	2504	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 2504 wrote to memory of 3656	2504	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	15f51430-94b3-4965-82a8-659f8b27d2e0.exe
PID 548 wrote to memory of 3680	548	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	schtasks.exe
PID 548 wrote to memory of 3680	548	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	schtasks.exe
PID 548 wrote to memory of 3680	548	15f51430-94b3-4965-82a8-659f8b27d2e0.exe	schtasks.exe

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads