xenorat | 884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce

General

Target

884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
Size

235KB
MD5

2c2e04484f2c8317df24936703c2b146
SHA1

551562978661e925c8b56489d0fa92635ef6e965
SHA256

884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce
SHA512

abbb705268385861143a59d460d5ecf2fb7e8cb803fb419b4248faa3a6e3d8a2029f5e2265c2fdd5a46b4c32b608e3d89b55746bdac4b5d79796e89f20f7766b
SSDEEP

6144:lyTqCfoPYvHf+/MBeXAQZXZNyVOPyG+SpIOgBHqfWh7VwpSFDFzI:lsNfrqMBCDNysaGvIO2qfWh7VwpSFDF0

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Wolid_rat_nd8859g

Attributes

delay
60000
install_path
appdata
port
1280
startup_name
cms

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

Executes dropped EXE 4 IoCs

Processes:

884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

pid	process
1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
2568	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
2524	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
4092	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

description	pid	process	target process
PID 4636 set thread context of 3668	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 set thread context of 3272	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 set thread context of 4928	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 set thread context of 2568	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 set thread context of 2524	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 set thread context of 4092	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
384	3668	WerFault.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
3604	4092	WerFault.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
3648	2524	WerFault.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4412 schtasks.exe

pid	process
4412	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

description	pid	process
Token: SeDebugPrivilege	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
Token: SeDebugPrivilege	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
"C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4636

C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
2⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 80
3⤵
- Program crash
PID:384

C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3272

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "cms" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2F29.tmp" /F
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4928

C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
4⤵
- Executes dropped EXE
PID:2568

C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
4⤵
- Executes dropped EXE
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 80
5⤵
- Program crash
PID:3648

C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
4⤵
- Executes dropped EXE
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 80
5⤵
- Program crash
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3668 -ip 3668
1⤵
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2524 -ip 2524
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4092 -ip 4092
1⤵
PID:4120

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe.log
Filesize
522B

MD5
8334a471a4b492ece225b471b8ad2fc8

SHA1
1cb24640f32d23e8f7800bd0511b7b9c3011d992

SHA256
5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169

SHA512
56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2F29.tmp
Filesize
1KB

MD5
a139168bd808a2618b94fb30af83bbb6

SHA1
d546675a859ff51567a05083e5316560572528da

SHA256
3698ddcd754088b10a349f7850a9005cfaba5cddb11b14fe9939506413592a7f

SHA512
051efe794a4e30ac4fef5e0f3542262b9c60853eb3ff73688176d8fb2af8fff00ad0ce91b2754137f47c9a1477eeb5180abddcc3849e3c150ae0cd7d6a0c86b5

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
Filesize
235KB

MD5
2c2e04484f2c8317df24936703c2b146

SHA1
551562978661e925c8b56489d0fa92635ef6e965

SHA256
884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce

SHA512
abbb705268385861143a59d460d5ecf2fb7e8cb803fb419b4248faa3a6e3d8a2029f5e2265c2fdd5a46b4c32b608e3d89b55746bdac4b5d79796e89f20f7766b

Download Submit
memory/1540-35-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/1540-27-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3272-15-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3272-36-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3272-8-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3272-12-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3668-7-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4636-4-0x00000000058A0000-0x00000000058DE000-memory.dmp

Filesize
248KB

Download
memory/4636-14-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/4636-6-0x0000000005600000-0x0000000005606000-memory.dmp

Filesize
24KB

Download
memory/4636-0-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

Filesize
4KB

Download
memory/4636-5-0x0000000005980000-0x0000000005A1C000-memory.dmp

Filesize
624KB

Download
memory/4636-3-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/4636-2-0x00000000030C0000-0x00000000030C6000-memory.dmp

Filesize
24KB

Download
memory/4636-1-0x0000000000CD0000-0x0000000000D10000-memory.dmp

Filesize
256KB

Download
memory/4928-13-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/4928-28-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download

description	pid	process	target process
PID 4636 wrote to memory of 3668	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 wrote to memory of 3668	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 wrote to memory of 3668	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 wrote to memory of 3668	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 wrote to memory of 3668	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 wrote to memory of 3668	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 wrote to memory of 3668	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 wrote to memory of 3668	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 wrote to memory of 3272	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 wrote to memory of 3272	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 wrote to memory of 3272	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 wrote to memory of 3272	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 wrote to memory of 3272	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 wrote to memory of 3272	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 wrote to memory of 3272	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 wrote to memory of 3272	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 wrote to memory of 4928	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 wrote to memory of 4928	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 wrote to memory of 4928	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 wrote to memory of 4928	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 wrote to memory of 4928	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 wrote to memory of 4928	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 wrote to memory of 4928	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4636 wrote to memory of 4928	4636	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4928 wrote to memory of 1540	4928	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4928 wrote to memory of 1540	4928	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 4928 wrote to memory of 1540	4928	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 2568	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 2568	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 2568	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 2568	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 2568	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 2568	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 2568	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 2568	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 2524	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 2524	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 2524	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 2524	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 2524	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 2524	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 2524	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 2524	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 4092	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 4092	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 4092	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 4092	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 4092	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 4092	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 4092	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1540 wrote to memory of 4092	1540	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 3272 wrote to memory of 4412	3272	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	schtasks.exe
PID 3272 wrote to memory of 4412	3272	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	schtasks.exe
PID 3272 wrote to memory of 4412	3272	884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe	schtasks.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads