Malware Analysis Report

2024-08-06 18:16

Sample ID 240622-bzyvls1dqc
Target dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
SHA256 dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a
Tags
xenorat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a

Threat Level: Known bad

The file dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe was found to be: Known bad.

Malicious Activity Summary

xenorat rat trojan

XenorRat

Detects executables packed with ConfuserEx Mod

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-22 01:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 01:35

Reported

2024-06-22 01:38

Platform

win7-20240611-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe"

Signatures

XenorRat

trojan rat xenorat

Detects executables packed with ConfuserEx Mod

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2416 set thread context of 2756 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 set thread context of 2564 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 set thread context of 2712 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 set thread context of 2464 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 set thread context of 2488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 set thread context of 2536 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2416 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2564 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2564 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2564 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2564 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2836 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2712 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

"C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe"

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "cms" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F51.tmp" /F

Network

Country Destination Domain Proto
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp

Files

memory/2416-0-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

memory/2416-1-0x0000000000F70000-0x0000000000FAC000-memory.dmp

memory/2416-2-0x00000000002F0000-0x00000000002F6000-memory.dmp

memory/2416-3-0x0000000074AC0000-0x00000000751AE000-memory.dmp

memory/2416-4-0x0000000000550000-0x000000000058A000-memory.dmp

memory/2416-5-0x0000000000330000-0x0000000000336000-memory.dmp

memory/2756-6-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2756-8-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2756-16-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2756-23-0x0000000074AC0000-0x00000000751AE000-memory.dmp

memory/2416-24-0x0000000074AC0000-0x00000000751AE000-memory.dmp

memory/2564-25-0x0000000074AC0000-0x00000000751AE000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

MD5 792c34fea9fdbebd00ccb3e2c82bd3a5
SHA1 d50a4769a2fca48504e9535a598f1e812d003c2f
SHA256 dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a
SHA512 f68beb38b7c68432211531d7a6f95626f388089098c878aee956def1e6de96744fa6459064ebd04df01316092cc018ad8321691cdc57265da889f030bf77e606

memory/2836-33-0x0000000000900000-0x000000000093C000-memory.dmp

memory/2564-31-0x0000000074AC0000-0x00000000751AE000-memory.dmp

memory/2756-46-0x0000000074AC0000-0x00000000751AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3F51.tmp

MD5 f8dc44da42b7efb85bc15ab7f6fa7bd2
SHA1 f81f26de6ba0432771aeffa2bcf169012d4f835f
SHA256 7cd99bf8e6e3763d8614843118ea96c6b23a8bd4740f050238702a81cfb2f292
SHA512 6973a187fb215b6c1f027fe88b15a0ec989dd75ddf73cbb2de60f0d7820bed36e18f0bdfe5c13a13d8aab765802fdeb35998c608523dfbbdd7814d5b5e82f32b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 01:35

Reported

2024-06-22 01:38

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe"

Signatures

XenorRat

trojan rat xenorat

Detects executables packed with ConfuserEx Mod

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2852 set thread context of 4860 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 set thread context of 376 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 set thread context of 3208 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 set thread context of 4260 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 set thread context of 4120 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 set thread context of 1856 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 2852 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 376 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 376 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 376 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4172 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe
PID 4860 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Windows\SysWOW64\schtasks.exe
PID 4860 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Windows\SysWOW64\schtasks.exe
PID 4860 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

"C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe"

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Local\Temp\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3208 -ip 3208

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 80

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4260 -ip 4260

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1856 -ip 1856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 80

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 152

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "cms" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2A47.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
NL 91.92.248.167:1280 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

memory/2852-0-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

memory/2852-1-0x0000000000780000-0x00000000007BC000-memory.dmp

memory/2852-2-0x0000000002A60000-0x0000000002A66000-memory.dmp

memory/2852-3-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/2852-4-0x0000000005100000-0x000000000513A000-memory.dmp

memory/2852-5-0x0000000008690000-0x000000000872C000-memory.dmp

memory/2852-6-0x0000000008CE0000-0x0000000009284000-memory.dmp

memory/2852-7-0x00000000087D0000-0x0000000008862000-memory.dmp

memory/2852-8-0x00000000052C0000-0x00000000052C6000-memory.dmp

memory/4860-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/376-15-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/4860-14-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/2852-16-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/4860-17-0x0000000074D00000-0x00000000754B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe

MD5 792c34fea9fdbebd00ccb3e2c82bd3a5
SHA1 d50a4769a2fca48504e9535a598f1e812d003c2f
SHA256 dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a
SHA512 f68beb38b7c68432211531d7a6f95626f388089098c878aee956def1e6de96744fa6459064ebd04df01316092cc018ad8321691cdc57265da889f030bf77e606

memory/4172-29-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/376-30-0x0000000074D00000-0x00000000754B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dc787902ffa15a1b58362cbe8c53af008bf2902426d091bf8e662070a20e8a5a.exe.log

MD5 d95c58e609838928f0f49837cab7dfd2
SHA1 55e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA256 0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512 405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

memory/4172-37-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/4860-38-0x0000000074D00000-0x00000000754B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2A47.tmp

MD5 f8dc44da42b7efb85bc15ab7f6fa7bd2
SHA1 f81f26de6ba0432771aeffa2bcf169012d4f835f
SHA256 7cd99bf8e6e3763d8614843118ea96c6b23a8bd4740f050238702a81cfb2f292
SHA512 6973a187fb215b6c1f027fe88b15a0ec989dd75ddf73cbb2de60f0d7820bed36e18f0bdfe5c13a13d8aab765802fdeb35998c608523dfbbdd7814d5b5e82f32b