Malware Analysis Report

2024-08-06 18:12

Sample ID 240702-b4bkwavgrr
Target 884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
SHA256 884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce
Tags
xenorat rat trojan spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce

Threat Level: Known bad

The file 884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe was found to be: Known bad.

Malicious Activity Summary

xenorat rat trojan spyware stealer

XenorRat

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-02 01:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-02 01:41

Reported

2024-07-02 01:43

Platform

win7-20240508-en

Max time kernel

126s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1868 set thread context of 2584 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 set thread context of 3060 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 set thread context of 2684 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 set thread context of 2568 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 set thread context of 2924 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 set thread context of 1232 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1868 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1868 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2584 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2584 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2584 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2584 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2300 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2684 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

"C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe"

C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "cms" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFEC9.tmp" /F

Network

Country Destination Domain Proto
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp

Files

memory/1868-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

memory/1868-1-0x0000000000110000-0x0000000000150000-memory.dmp

memory/1868-2-0x0000000000230000-0x0000000000236000-memory.dmp

memory/1868-3-0x00000000003B0000-0x00000000003EE000-memory.dmp

memory/1868-4-0x0000000074A80000-0x000000007516E000-memory.dmp

memory/1868-5-0x0000000000240000-0x0000000000246000-memory.dmp

memory/2584-6-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2584-8-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2584-12-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3060-24-0x0000000074A80000-0x000000007516E000-memory.dmp

memory/2584-23-0x0000000074A80000-0x000000007516E000-memory.dmp

memory/1868-30-0x0000000074A80000-0x000000007516E000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

MD5 2c2e04484f2c8317df24936703c2b146
SHA1 551562978661e925c8b56489d0fa92635ef6e965
SHA256 884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce
SHA512 abbb705268385861143a59d460d5ecf2fb7e8cb803fb419b4248faa3a6e3d8a2029f5e2265c2fdd5a46b4c32b608e3d89b55746bdac4b5d79796e89f20f7766b

memory/2584-32-0x0000000074A80000-0x000000007516E000-memory.dmp

memory/2300-33-0x00000000010F0000-0x0000000001130000-memory.dmp

memory/3060-46-0x0000000074A80000-0x000000007516E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFEC9.tmp

MD5 a139168bd808a2618b94fb30af83bbb6
SHA1 d546675a859ff51567a05083e5316560572528da
SHA256 3698ddcd754088b10a349f7850a9005cfaba5cddb11b14fe9939506413592a7f
SHA512 051efe794a4e30ac4fef5e0f3542262b9c60853eb3ff73688176d8fb2af8fff00ad0ce91b2754137f47c9a1477eeb5180abddcc3849e3c150ae0cd7d6a0c86b5

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-02 01:41

Reported

2024-07-02 01:43

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe"

Signatures

XenorRat

trojan rat xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5004 set thread context of 2000 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 set thread context of 2128 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 set thread context of 2212 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 set thread context of 1368 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 set thread context of 4848 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 set thread context of 3740 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5004 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 5004 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2000 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2000 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2000 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 1468 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe
PID 2212 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Windows\SysWOW64\schtasks.exe
PID 2212 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Windows\SysWOW64\schtasks.exe
PID 2212 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

"C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe"

C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Users\Admin\AppData\Local\Temp\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2128 -ip 2128

C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 80

C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "cms" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7700.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
US 8.8.8.8:53 167.248.92.91.in-addr.arpa udp
NL 91.92.248.167:1280 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/5004-0-0x000000007466E000-0x000000007466F000-memory.dmp

memory/5004-1-0x0000000000E30000-0x0000000000E70000-memory.dmp

memory/5004-2-0x00000000057A0000-0x00000000057A6000-memory.dmp

memory/5004-3-0x000000000E370000-0x000000000E3AE000-memory.dmp

memory/5004-4-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/5004-5-0x000000000E450000-0x000000000E4EC000-memory.dmp

memory/5004-6-0x0000000003230000-0x0000000003236000-memory.dmp

memory/2000-7-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2000-12-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/2212-13-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/5004-15-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/2212-14-0x0000000074660000-0x0000000074E10000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

MD5 2c2e04484f2c8317df24936703c2b146
SHA1 551562978661e925c8b56489d0fa92635ef6e965
SHA256 884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce
SHA512 abbb705268385861143a59d460d5ecf2fb7e8cb803fb419b4248faa3a6e3d8a2029f5e2265c2fdd5a46b4c32b608e3d89b55746bdac4b5d79796e89f20f7766b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe.log

MD5 8334a471a4b492ece225b471b8ad2fc8
SHA1 1cb24640f32d23e8f7800bd0511b7b9c3011d992
SHA256 5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169
SHA512 56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

memory/1468-28-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/2000-27-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/1468-35-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/2212-36-0x0000000074660000-0x0000000074E10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7700.tmp

MD5 a139168bd808a2618b94fb30af83bbb6
SHA1 d546675a859ff51567a05083e5316560572528da
SHA256 3698ddcd754088b10a349f7850a9005cfaba5cddb11b14fe9939506413592a7f
SHA512 051efe794a4e30ac4fef5e0f3542262b9c60853eb3ff73688176d8fb2af8fff00ad0ce91b2754137f47c9a1477eeb5180abddcc3849e3c150ae0cd7d6a0c86b5

memory/2212-39-0x0000000006180000-0x00000000061E6000-memory.dmp

memory/2212-40-0x00000000063F0000-0x00000000064EA000-memory.dmp

memory/2212-41-0x00000000066C0000-0x0000000006882000-memory.dmp

memory/2212-42-0x0000000006580000-0x00000000065F6000-memory.dmp

memory/2212-43-0x0000000006600000-0x0000000006650000-memory.dmp

memory/2212-44-0x0000000006DC0000-0x00000000072EC000-memory.dmp

memory/2212-45-0x0000000006A00000-0x0000000006A1E000-memory.dmp

memory/2212-54-0x00000000072F0000-0x0000000007570000-memory.dmp