Malware Analysis Report

2024-08-06 18:08

Sample ID 240621-gm3wpatdjr
Target dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a
SHA256 dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a
Tags
xenorat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a

Threat Level: Known bad

The file dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a was found to be: Known bad.

Malicious Activity Summary

xenorat rat trojan

XenorRat

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-21 05:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 05:56

Reported

2024-06-21 05:58

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe"

Signatures

XenorRat

trojan rat xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4076 set thread context of 312 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 set thread context of 3420 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 set thread context of 4204 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 set thread context of 3568 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 set thread context of 3980 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 set thread context of 1200 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4076 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4076 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 312 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 312 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 312 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 3572 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4204 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Windows\SysWOW64\schtasks.exe
PID 4204 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Windows\SysWOW64\schtasks.exe
PID 4204 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

"C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe"

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3420 -ip 3420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 84

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "cms" /XML "C:\Users\Admin\AppData\Local\Temp\tmp338E.tmp" /F

Network

Country Destination Domain Proto
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp

Files

memory/4076-0-0x000000007492E000-0x000000007492F000-memory.dmp

memory/4076-1-0x0000000000E80000-0x0000000000EBC000-memory.dmp

memory/4076-2-0x0000000001740000-0x0000000001746000-memory.dmp

memory/4076-3-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/4076-4-0x0000000005900000-0x000000000593A000-memory.dmp

memory/4076-5-0x0000000006B20000-0x0000000006BBC000-memory.dmp

memory/4076-6-0x0000000007170000-0x0000000007714000-memory.dmp

memory/4076-7-0x0000000006C60000-0x0000000006CF2000-memory.dmp

memory/4076-8-0x00000000057D0000-0x00000000057D6000-memory.dmp

memory/312-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/312-14-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/3420-11-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4204-16-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/4076-17-0x0000000074920000-0x00000000750D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

MD5 792c34fea9fdbebd00ccb3e2c82bd3a5
SHA1 d50a4769a2fca48504e9535a598f1e812d003c2f
SHA256 dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a
SHA512 f68beb38b7c68432211531d7a6f95626f388089098c878aee956def1e6de96744fa6459064ebd04df01316092cc018ad8321691cdc57265da889f030bf77e606

memory/4204-19-0x0000000074920000-0x00000000750D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe.log

MD5 d95c58e609838928f0f49837cab7dfd2
SHA1 55e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA256 0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512 405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

memory/3572-31-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/312-30-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/3572-38-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/4204-39-0x0000000074920000-0x00000000750D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp338E.tmp

MD5 f8dc44da42b7efb85bc15ab7f6fa7bd2
SHA1 f81f26de6ba0432771aeffa2bcf169012d4f835f
SHA256 7cd99bf8e6e3763d8614843118ea96c6b23a8bd4740f050238702a81cfb2f292
SHA512 6973a187fb215b6c1f027fe88b15a0ec989dd75ddf73cbb2de60f0d7820bed36e18f0bdfe5c13a13d8aab765802fdeb35998c608523dfbbdd7814d5b5e82f32b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 05:56

Reported

2024-06-21 05:58

Platform

win11-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1652 set thread context of 2708 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 set thread context of 4980 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 set thread context of 440 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 set thread context of 1512 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 set thread context of 5056 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 set thread context of 4896 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1652 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1652 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2708 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2708 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2708 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 1964 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4980 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Windows\SysWOW64\schtasks.exe
PID 4980 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Windows\SysWOW64\schtasks.exe
PID 4980 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

"C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe"

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1512 -ip 1512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 92

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 92

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "cms" /XML "C:\Users\Admin\AppData\Local\Temp\tmp65D9.tmp" /F

Network

Country Destination Domain Proto
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp

Files

memory/1652-0-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

memory/1652-1-0x0000000000850000-0x000000000088C000-memory.dmp

memory/1652-2-0x0000000002D40000-0x0000000002D46000-memory.dmp

memory/1652-3-0x0000000074AE0000-0x0000000075291000-memory.dmp

memory/1652-4-0x00000000052A0000-0x00000000052DA000-memory.dmp

memory/1652-5-0x0000000005600000-0x000000000569C000-memory.dmp

memory/1652-6-0x0000000005C50000-0x00000000061F6000-memory.dmp

memory/1652-7-0x00000000056A0000-0x0000000005732000-memory.dmp

memory/1652-8-0x0000000005560000-0x0000000005566000-memory.dmp

memory/2708-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2708-15-0x0000000074AE0000-0x0000000075291000-memory.dmp

memory/1652-16-0x0000000074AE0000-0x0000000075291000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe.log

MD5 80305b9a250a27091f46fa147674ffb3
SHA1 81b485761494618e4c8bba9af56c29b2ea8e8a07
SHA256 d9febc24cdfe2a616fff0e891fb055951aad00be6d57b0bc3cf8f4f643c5f6ae
SHA512 52544d526e83ae2a71d63768457435dbe79843a76146f60b7e41ec7b53ddb620323592325e19d6776b92b7e1fbb8dc79db85e94a30d970f0983563456ccd7a19

memory/4980-17-0x0000000074AE0000-0x0000000075291000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

MD5 792c34fea9fdbebd00ccb3e2c82bd3a5
SHA1 d50a4769a2fca48504e9535a598f1e812d003c2f
SHA256 dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a
SHA512 f68beb38b7c68432211531d7a6f95626f388089098c878aee956def1e6de96744fa6459064ebd04df01316092cc018ad8321691cdc57265da889f030bf77e606

memory/4980-28-0x0000000074AE0000-0x0000000075291000-memory.dmp

memory/2708-29-0x0000000074AE0000-0x0000000075291000-memory.dmp

memory/1512-30-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4980-36-0x0000000074AE0000-0x0000000075291000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp65D9.tmp

MD5 f8dc44da42b7efb85bc15ab7f6fa7bd2
SHA1 f81f26de6ba0432771aeffa2bcf169012d4f835f
SHA256 7cd99bf8e6e3763d8614843118ea96c6b23a8bd4740f050238702a81cfb2f292
SHA512 6973a187fb215b6c1f027fe88b15a0ec989dd75ddf73cbb2de60f0d7820bed36e18f0bdfe5c13a13d8aab765802fdeb35998c608523dfbbdd7814d5b5e82f32b