xenorat | 8eaf377f8fc59bb93ada3e1f94571ebbbc3d3732475c86239ee72e4c1f2f31c7

General

Target

8eaf377f8fc59bb93ada3e1f94571ebbbc3d3732475c86239ee72e4c1f2f31c7.xll
Size

819KB
MD5

5475ac0337614b9651483ca83628c38f
SHA1

d03d0806bb24207780b441a090e3ff9e9d263929
SHA256

8eaf377f8fc59bb93ada3e1f94571ebbbc3d3732475c86239ee72e4c1f2f31c7
SHA512

d4d7d417fbadb98ac94e728c994b4ae7abc505632a1eb79d8f8193c71daa7bbbf2aa709713ec94ffa9b645dcf02b06907cd3fe1538840dfc22411c229bbcdb8c
SSDEEP

12288:xG1N4HkcgMsiOd58bzbBSre6Q0uqZzD1reWabd/dbNZEEx/DLn0vkYHipwyA:xoOOMX1K+QHT+d9NZdxYHip

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Wolid_rat_nd8889g

Attributes

delay
60000
install_path
appdata
port
1279
startup_name
qns

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Detects executables packed with ConfuserEx Mod 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2916-44-0x00000206A6E50000-0x00000206A6E94000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
C:\Users\Admin\AppData\Local\Temp\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/memory/1592-60-0x0000000000950000-0x0000000000990000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/memory/1592-64-0x0000000005300000-0x000000000533E000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe

Executes dropped EXE 8 IoCs

Processes:

0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe

pid	process
1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
4172	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
2140	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
4440	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
3308	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
3068	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
2684	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe

Loads dropped DLL 2 IoCs

Processes:

EXCEL.EXE

pid process

2916 EXCEL.EXE
2916 EXCEL.EXE

Suspicious use of SetThreadContext 6 IoCs

Processes:

0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe

description	pid	process	target process
PID 1592 set thread context of 4172	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 set thread context of 2140	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 set thread context of 4440	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 set thread context of 3308	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 set thread context of 3068	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 set thread context of 2684	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2264 2684 WerFault.exe 0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe

pid	pid_target	process	target process
2264	2684	WerFault.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2056 schtasks.exe

pid	process
2056	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2916 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

EXCEL.EXE

pid process

2916 EXCEL.EXE
2916 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

EXCEL.EXE0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe

description	pid	process
Token: SeDebugPrivilege	2916	EXCEL.EXE
Token: SeDebugPrivilege	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
Token: SeDebugPrivilege	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

2916 EXCEL.EXE
2916 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

EXCEL.EXE0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8eaf377f8fc59bb93ada3e1f94571ebbbc3d3732475c86239ee72e4c1f2f31c7.xll"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916

C:\Users\Admin\AppData\Local\Temp\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
"C:\Users\Admin\AppData\Local\Temp\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\Temp\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
C:\Users\Admin\AppData\Local\Temp\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "qns" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6018.tmp" /F
4⤵
- Creates scheduled task(s)
PID:2056

C:\Users\Admin\AppData\Local\Temp\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
C:\Users\Admin\AppData\Local\Temp\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Roaming\XenoManager\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Roaming\XenoManager\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
C:\Users\Admin\AppData\Roaming\XenoManager\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
5⤵
- Executes dropped EXE
PID:3308

C:\Users\Admin\AppData\Roaming\XenoManager\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
C:\Users\Admin\AppData\Roaming\XenoManager\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
5⤵
- Executes dropped EXE
PID:3068

C:\Users\Admin\AppData\Roaming\XenoManager\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
C:\Users\Admin\AppData\Roaming\XenoManager\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
5⤵
- Executes dropped EXE
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 80
6⤵
- Program crash
PID:2264

C:\Users\Admin\AppData\Local\Temp\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
C:\Users\Admin\AppData\Local\Temp\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
3⤵
- Executes dropped EXE
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2684 -ip 2684
1⤵
PID:2964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:2144

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe.log
Filesize
522B

MD5
8334a471a4b492ece225b471b8ad2fc8

SHA1
1cb24640f32d23e8f7800bd0511b7b9c3011d992

SHA256
5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169

SHA512
56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
Filesize
233KB

MD5
025593cacb392aadf7266febcb9f700a

SHA1
602a4fcbbdaf682dc6311dc72468a00eb148ca86

SHA256
6b09a61d15fd9835db561b9f7571c714333a071cce0facd8ac3dc39289ef8998

SHA512
8e5c571c4905b418446cea26d8ef978706d1deb209227c602b8dbc5e9b9d23379bf42169887ee81dd287b9c07e43df733ffa7a72e4e279f9dfcec490710ed947

Download Submit
C:\Users\Admin\AppData\Local\Temp\8eaf377f8fc59bb93ada3e1f94571ebbbc3d3732475c86239ee72e4c1f2f31c7.xll
Filesize
819KB

MD5
5475ac0337614b9651483ca83628c38f

SHA1
d03d0806bb24207780b441a090e3ff9e9d263929

SHA256
8eaf377f8fc59bb93ada3e1f94571ebbbc3d3732475c86239ee72e4c1f2f31c7

SHA512
d4d7d417fbadb98ac94e728c994b4ae7abc505632a1eb79d8f8193c71daa7bbbf2aa709713ec94ffa9b645dcf02b06907cd3fe1538840dfc22411c229bbcdb8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6018.tmp
Filesize
1KB

MD5
d65d4e0d922f6eefb5aa93b6db033b75

SHA1
fa9f0ec3fcba9afe16e72c6a6df898926bf80193

SHA256
5bf2f0d301957db3449768a969e548afd0701a31bda179a22f07673b4884bdad

SHA512
8bef95841f63069c8f62e209c4d9c9a1ff8c9c93bd488fa3f4f8f7ae1eee5b1bcb8072dc6a1f2f78254f340f9f8618815e32318632384604bdea4959f3cb27e7

Download Submit
memory/1592-75-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/1592-66-0x0000000004DA0000-0x0000000004DA6000-memory.dmp

Filesize
24KB

Download
memory/1592-65-0x000000000DF60000-0x000000000DFFC000-memory.dmp

Filesize
624KB

Download
memory/1592-64-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/1592-63-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/1592-61-0x0000000002C80000-0x0000000002C86000-memory.dmp

Filesize
24KB

Download
memory/1592-60-0x0000000000950000-0x0000000000990000-memory.dmp

Filesize
256KB

Download
memory/1592-59-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-15-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-45-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-14-0x00007FFA12A30000-0x00007FFA12A40000-memory.dmp

Filesize
64KB

Download
memory/2916-0-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmp

Filesize
64KB

Download
memory/2916-16-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-17-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-18-0x00007FFA12A30000-0x00007FFA12A40000-memory.dmp

Filesize
64KB

Download
memory/2916-13-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-27-0x000002068BE70000-0x000002068BF56000-memory.dmp

Filesize
920KB

Download
memory/2916-28-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-29-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-30-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-34-0x00000206A6C10000-0x00000206A6C24000-memory.dmp

Filesize
80KB

Download
memory/2916-35-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-36-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-37-0x00007FFA54AAD000-0x00007FFA54AAE000-memory.dmp

Filesize
4KB

Download
memory/2916-38-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-39-0x00000206A6C10000-0x00000206A6C24000-memory.dmp

Filesize
80KB

Download
memory/2916-40-0x00000206A6C50000-0x00000206A6DD4000-memory.dmp

Filesize
1.5MB

Download
memory/2916-41-0x00000206A6DD0000-0x00000206A6E0C000-memory.dmp

Filesize
240KB

Download
memory/2916-43-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-42-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-44-0x00000206A6E50000-0x00000206A6E94000-memory.dmp

Filesize
272KB

Download
memory/2916-12-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-11-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-9-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-10-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-8-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-62-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-7-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmp

Filesize
64KB

Download
memory/2916-6-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-5-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-4-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmp

Filesize
64KB

Download
memory/2916-121-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-2-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmp

Filesize
64KB

Download
memory/2916-3-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmp

Filesize
64KB

Download
memory/2916-77-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-85-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-95-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-96-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-99-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-100-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmp

Filesize
2.0MB

Download
memory/2916-1-0x00007FFA54AAD000-0x00007FFA54AAE000-memory.dmp

Filesize
4KB

Download
memory/2916-120-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmp

Filesize
64KB

Download
memory/2916-119-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmp

Filesize
64KB

Download
memory/2916-117-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmp

Filesize
64KB

Download
memory/2916-118-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmp

Filesize
64KB

Download
memory/4172-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

description	pid	process	target process
PID 2916 wrote to memory of 1592	2916	EXCEL.EXE	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2916 wrote to memory of 1592	2916	EXCEL.EXE	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2916 wrote to memory of 1592	2916	EXCEL.EXE	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 4172	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 4172	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 4172	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 4172	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 4172	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 4172	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 4172	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 4172	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 2140	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 2140	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 2140	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 2140	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 2140	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 2140	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 2140	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 2140	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 4440	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 4440	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 4440	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 4440	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 4440	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 4440	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 4440	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 1592 wrote to memory of 4440	1592	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2140 wrote to memory of 2892	2140	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2140 wrote to memory of 2892	2140	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2140 wrote to memory of 2892	2140	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 3308	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 3308	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 3308	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 3308	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 3308	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 3308	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 3308	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 3308	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 3068	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 3068	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 3068	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 3068	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 3068	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 3068	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 3068	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 3068	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 2684	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 2684	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 2684	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 2684	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 2684	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 2684	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 2684	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 2892 wrote to memory of 2684	2892	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe
PID 4172 wrote to memory of 2056	4172	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	schtasks.exe
PID 4172 wrote to memory of 2056	4172	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	schtasks.exe
PID 4172 wrote to memory of 2056	4172	0ad0a1af-4a5b-4ec9-af0c-099e0816f76d.exe	schtasks.exe

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads