Malware Analysis Report

2024-08-06 18:07

Sample ID 240621-gpqn5szbng
Target 792c34fea9fdbebd00ccb3e2c82bd3a5.exe
SHA256 dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a
Tags
xenorat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a

Threat Level: Known bad

The file 792c34fea9fdbebd00ccb3e2c82bd3a5.exe was found to be: Known bad.

Malicious Activity Summary

xenorat rat trojan

XenorRat

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-21 05:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 05:59

Reported

2024-06-21 06:01

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe"

Signatures

XenorRat

trojan rat xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2288 set thread context of 2396 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 set thread context of 2624 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 set thread context of 5056 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 set thread context of 1804 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 set thread context of 4824 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 set thread context of 4888 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2288 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2396 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2396 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2396 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 4652 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2624 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2624 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2624 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

"C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe"

C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "cms" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4774.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 52.111.243.31:443 tcp
NL 91.92.248.167:1280 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp

Files

memory/2288-0-0x000000007463E000-0x000000007463F000-memory.dmp

memory/2288-1-0x0000000000B70000-0x0000000000BAC000-memory.dmp

memory/2288-2-0x0000000005490000-0x0000000005496000-memory.dmp

memory/2288-3-0x0000000074630000-0x0000000074DE0000-memory.dmp

memory/2288-4-0x0000000005500000-0x000000000553A000-memory.dmp

memory/2288-5-0x0000000005860000-0x00000000058FC000-memory.dmp

memory/2288-6-0x0000000005EB0000-0x0000000006454000-memory.dmp

memory/2288-7-0x0000000005900000-0x0000000005992000-memory.dmp

memory/2288-8-0x00000000057C0000-0x00000000057C6000-memory.dmp

memory/2396-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2396-14-0x0000000074630000-0x0000000074DE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\792c34fea9fdbebd00ccb3e2c82bd3a5.exe.log

MD5 d95c58e609838928f0f49837cab7dfd2
SHA1 55e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA256 0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512 405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

memory/5056-18-0x0000000074630000-0x0000000074DE0000-memory.dmp

memory/2288-19-0x0000000074630000-0x0000000074DE0000-memory.dmp

memory/2624-20-0x0000000074630000-0x0000000074DE0000-memory.dmp

memory/2624-17-0x0000000074630000-0x0000000074DE0000-memory.dmp

memory/5056-16-0x0000000074630000-0x0000000074DE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

MD5 792c34fea9fdbebd00ccb3e2c82bd3a5
SHA1 d50a4769a2fca48504e9535a598f1e812d003c2f
SHA256 dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a
SHA512 f68beb38b7c68432211531d7a6f95626f388089098c878aee956def1e6de96744fa6459064ebd04df01316092cc018ad8321691cdc57265da889f030bf77e606

memory/2396-31-0x0000000074630000-0x0000000074DE0000-memory.dmp

memory/2624-38-0x0000000074630000-0x0000000074DE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4774.tmp

MD5 4e5246e7abef1fefc0f54218c98badf2
SHA1 6fc50eec3f46acb1f2129d27e8b006463cad2e44
SHA256 2234cdda018017ab71809b5acc4c6a75b1a086552566ec742ae46461a42dace3
SHA512 79fc972aee63493401fd0419e642684a6b82cf931b42c93e77c231f7b6cd91e00c457b7f52d5cce40bfd4389fa16b8ec9a87555e449a84330d8fa6a6e07b23cb

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 05:59

Reported

2024-06-21 06:01

Platform

win7-20231129-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1660 set thread context of 2932 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 set thread context of 3016 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 set thread context of 3020 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 set thread context of 2724 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 set thread context of 2472 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 set thread context of 2044 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 1660 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 3020 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 3020 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 3020 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 3020 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 2692 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe
PID 3016 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Windows\SysWOW64\schtasks.exe
PID 3016 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Windows\SysWOW64\schtasks.exe
PID 3016 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Windows\SysWOW64\schtasks.exe
PID 3016 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

"C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe"

C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Users\Admin\AppData\Local\Temp\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "cms" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFB6F.tmp" /F

Network

Country Destination Domain Proto
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp

Files

memory/1660-0-0x0000000073EFE000-0x0000000073EFF000-memory.dmp

memory/1660-1-0x0000000000260000-0x000000000029C000-memory.dmp

memory/1660-2-0x0000000000250000-0x0000000000256000-memory.dmp

memory/1660-3-0x0000000000850000-0x000000000088A000-memory.dmp

memory/1660-4-0x0000000073EF0000-0x00000000745DE000-memory.dmp

memory/1660-5-0x00000000002C0000-0x00000000002C6000-memory.dmp

memory/3016-7-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3016-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3016-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3016-18-0x0000000073EF0000-0x00000000745DE000-memory.dmp

memory/3020-19-0x0000000073EF0000-0x00000000745DE000-memory.dmp

memory/1660-20-0x0000000073EF0000-0x00000000745DE000-memory.dmp

\Users\Admin\AppData\Roaming\XenoManager\792c34fea9fdbebd00ccb3e2c82bd3a5.exe

MD5 792c34fea9fdbebd00ccb3e2c82bd3a5
SHA1 d50a4769a2fca48504e9535a598f1e812d003c2f
SHA256 dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a
SHA512 f68beb38b7c68432211531d7a6f95626f388089098c878aee956def1e6de96744fa6459064ebd04df01316092cc018ad8321691cdc57265da889f030bf77e606

memory/2692-28-0x0000000000A70000-0x0000000000AAC000-memory.dmp

memory/3020-27-0x0000000073EF0000-0x00000000745DE000-memory.dmp

memory/3016-42-0x0000000073EF0000-0x00000000745DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFB6F.tmp

MD5 4e5246e7abef1fefc0f54218c98badf2
SHA1 6fc50eec3f46acb1f2129d27e8b006463cad2e44
SHA256 2234cdda018017ab71809b5acc4c6a75b1a086552566ec742ae46461a42dace3
SHA512 79fc972aee63493401fd0419e642684a6b82cf931b42c93e77c231f7b6cd91e00c457b7f52d5cce40bfd4389fa16b8ec9a87555e449a84330d8fa6a6e07b23cb

memory/3016-45-0x0000000073EF0000-0x00000000745DE000-memory.dmp

memory/3016-46-0x0000000073EF0000-0x00000000745DE000-memory.dmp