Malware Analysis Report

2024-08-06 18:14

Sample ID 240621-jd367s1dmh
Target 6621fcab4de5fab7eac4d8d03c87f233.exe
SHA256 ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2
Tags
xenorat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2

Threat Level: Known bad

The file 6621fcab4de5fab7eac4d8d03c87f233.exe was found to be: Known bad.

Malicious Activity Summary

xenorat rat trojan

XenorRat

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-21 07:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 07:34

Reported

2024-06-21 07:36

Platform

win7-20240508-en

Max time kernel

147s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2928 set thread context of 2812 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 set thread context of 1208 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 set thread context of 1644 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 set thread context of 2788 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 set thread context of 2700 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 set thread context of 2696 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2928 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2928 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2812 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2812 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2812 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2812 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2672 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 2788 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Windows\SysWOW64\schtasks.exe
PID 2788 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Windows\SysWOW64\schtasks.exe
PID 2788 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Windows\SysWOW64\schtasks.exe
PID 2788 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe

"C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe"

C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "cms" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1111.tmp" /F

Network

Country Destination Domain Proto
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp

Files

memory/2928-0-0x000000007419E000-0x000000007419F000-memory.dmp

memory/2928-1-0x0000000000150000-0x000000000018C000-memory.dmp

memory/2928-2-0x0000000000330000-0x0000000000336000-memory.dmp

memory/2928-3-0x0000000000390000-0x00000000003CA000-memory.dmp

memory/2928-4-0x0000000074190000-0x000000007487E000-memory.dmp

memory/2928-5-0x00000000003E0000-0x00000000003E6000-memory.dmp

memory/2812-6-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2812-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2812-12-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2812-15-0x0000000074190000-0x000000007487E000-memory.dmp

\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe

MD5 6621fcab4de5fab7eac4d8d03c87f233
SHA1 70dd77e26e803239877b30439eb123454bc137cc
SHA256 ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2
SHA512 d132d2399c65b6b0083f7172c04d4708b28b3deceb93fd0c5dfc5bcfdfd9ee459c5b46853d176e08e99a2a8842945e6cd396e4137fac430c67abea388e83789c

memory/2812-23-0x0000000074190000-0x000000007487E000-memory.dmp

memory/2672-22-0x0000000000EA0000-0x0000000000EDC000-memory.dmp

memory/2928-37-0x0000000074190000-0x000000007487E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1111.tmp

MD5 90d3513457b3de640485bc59548e06bd
SHA1 06ea62b67de34d3396ad59f91c7185832393519a
SHA256 f42c8495fe576721693cf7a7a3e44f61c36f708cd622ec7fb2e013500dd54838
SHA512 06d370edbaff0d20796a22f28956ad6896052209ea55f3bad92d050958abb6d9d9c13dfd6a25d024f10cc96d76df3cd87ad10ae46857033390548498e8d65e1e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 07:34

Reported

2024-06-21 07:36

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe"

Signatures

XenorRat

trojan rat xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4872 set thread context of 3320 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 set thread context of 1676 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 set thread context of 2484 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 set thread context of 3536 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 set thread context of 3712 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 set thread context of 2576 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4872 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 4872 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 3320 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 3320 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 3320 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1936 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe
PID 1676 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Windows\SysWOW64\schtasks.exe
PID 1676 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Windows\SysWOW64\schtasks.exe
PID 1676 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe

"C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe"

C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Users\Admin\AppData\Local\Temp\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "cms" /XML "C:\Users\Admin\AppData\Local\Temp\tmp274A.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 91.92.248.167:1280 tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
NL 91.92.248.167:1280 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

memory/4872-0-0x00000000751DE000-0x00000000751DF000-memory.dmp

memory/4872-1-0x00000000008B0000-0x00000000008EC000-memory.dmp

memory/4872-2-0x0000000002CA0000-0x0000000002CA6000-memory.dmp

memory/4872-3-0x000000000DE40000-0x000000000DE7A000-memory.dmp

memory/4872-5-0x000000000DF20000-0x000000000DFBC000-memory.dmp

memory/4872-4-0x00000000751D0000-0x0000000075980000-memory.dmp

memory/4872-6-0x000000000E570000-0x000000000EB14000-memory.dmp

memory/4872-7-0x000000000E060000-0x000000000E0F2000-memory.dmp

memory/4872-8-0x0000000004D10000-0x0000000004D16000-memory.dmp

memory/3320-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3320-14-0x00000000751D0000-0x0000000075980000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6621fcab4de5fab7eac4d8d03c87f233.exe.log

MD5 d95c58e609838928f0f49837cab7dfd2
SHA1 55e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA256 0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512 405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

memory/2484-17-0x00000000751D0000-0x0000000075980000-memory.dmp

memory/1676-18-0x00000000751D0000-0x0000000075980000-memory.dmp

memory/4872-21-0x00000000751D0000-0x0000000075980000-memory.dmp

memory/1676-20-0x00000000751D0000-0x0000000075980000-memory.dmp

memory/2484-19-0x00000000751D0000-0x0000000075980000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\6621fcab4de5fab7eac4d8d03c87f233.exe

MD5 6621fcab4de5fab7eac4d8d03c87f233
SHA1 70dd77e26e803239877b30439eb123454bc137cc
SHA256 ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2
SHA512 d132d2399c65b6b0083f7172c04d4708b28b3deceb93fd0c5dfc5bcfdfd9ee459c5b46853d176e08e99a2a8842945e6cd396e4137fac430c67abea388e83789c

memory/3320-32-0x00000000751D0000-0x0000000075980000-memory.dmp

memory/1676-39-0x00000000751D0000-0x0000000075980000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp274A.tmp

MD5 9bebe31e5ff2a5eae2b0cbbdb94e5a4f
SHA1 731c8074c0b0d2280be5b1ff5d2ecdbaef82c803
SHA256 4a7ceb2293c43dca1314f795c40bff88871639dc9db342b63841434ad691546e
SHA512 74335ddfcb6b2bba86ecfb45a99ecfc85ec0d76ada26cb795346aab45b2190072147b6d7c345621a324db1ac1205bbb21698d5e23e71902857f92a02a946e05e