Malware Analysis Report

2024-08-06 18:12

Sample ID 240702-bhbnra1cld
Target 1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
SHA256 1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9
Tags
xenorat rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9

Threat Level: Known bad

The file 1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe was found to be: Known bad.

Malicious Activity Summary

xenorat rat spyware stealer trojan

XenorRat

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-02 01:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-02 01:08

Reported

2024-07-02 01:10

Platform

win7-20240221-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2964 set thread context of 2552 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 set thread context of 2620 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 set thread context of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 set thread context of 2456 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 set thread context of 2172 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 set thread context of 2464 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2964 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2620 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2620 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2620 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2620 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2548 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2552 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Windows\SysWOW64\schtasks.exe
PID 2552 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Windows\SysWOW64\schtasks.exe
PID 2552 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Windows\SysWOW64\schtasks.exe
PID 2552 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

"C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe"

C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "cms" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFB6F.tmp" /F

Network

Country Destination Domain Proto
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp

Files

memory/2964-0-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

memory/2964-1-0x0000000000390000-0x00000000003D0000-memory.dmp

memory/2964-2-0x00000000003E0000-0x00000000003E6000-memory.dmp

memory/2964-3-0x0000000074C10000-0x00000000752FE000-memory.dmp

memory/2964-4-0x00000000003F0000-0x000000000042E000-memory.dmp

memory/2964-5-0x00000000002F0000-0x00000000002F6000-memory.dmp

memory/2552-6-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2552-8-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2552-12-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2964-23-0x0000000074C10000-0x00000000752FE000-memory.dmp

memory/2552-25-0x0000000074C10000-0x00000000752FE000-memory.dmp

memory/2620-26-0x0000000074C10000-0x00000000752FE000-memory.dmp

\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

MD5 0551dcf55adc23a07d56580729730d50
SHA1 5d09095bde071815b26624712352a9b0cc579d16
SHA256 1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9
SHA512 6368b2ffceffc2415c1d21f5cc2107c1374b0a045ebd7181c7e1557904d44cc33b0f55380f83cf9d1693ef5d24bd1d292aa7348a72a8cefe7df7d72b0dc27b81

memory/2620-32-0x0000000074C10000-0x00000000752FE000-memory.dmp

memory/2548-33-0x0000000000D40000-0x0000000000D80000-memory.dmp

memory/2552-49-0x0000000074C10000-0x00000000752FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFB6F.tmp

MD5 364eece25949d0382cb2359417990db6
SHA1 7dfe4b87a282ea9d03195cf34d6f3ed73462904e
SHA256 97226722a9361b515cbb623c3c7cc2468a8bb79dc471376407b8f9768d0c79c4
SHA512 b6d5ed28aa504b9e0577b8acc06d25509a5c45a8e0c2794bbd1f24617c48ae9b02ce8747efa26cb222d7314113389ee5c283392a9da325203cdb337039daa971

memory/2552-52-0x0000000074C10000-0x00000000752FE000-memory.dmp

memory/2552-53-0x0000000005690000-0x000000000578A000-memory.dmp

memory/2552-69-0x0000000074C10000-0x00000000752FE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-02 01:08

Reported

2024-07-02 01:10

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe"

Signatures

XenorRat

trojan rat xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4540 set thread context of 4940 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 set thread context of 4948 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 set thread context of 1464 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 set thread context of 4008 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 set thread context of 2928 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 set thread context of 2220 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4540 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4540 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 4948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 2340 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe
PID 1464 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1464 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1464 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

"C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe"

C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Users\Admin\AppData\Local\Temp\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4940 -ip 4940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 80

C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2220 -ip 2220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 80

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "cms" /XML "C:\Users\Admin\AppData\Local\Temp\tmp725C.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 98.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
US 8.8.8.8:53 167.248.92.91.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/4540-0-0x00000000745BE000-0x00000000745BF000-memory.dmp

memory/4540-1-0x0000000000E80000-0x0000000000EC0000-memory.dmp

memory/4540-2-0x0000000003160000-0x0000000003166000-memory.dmp

memory/4540-5-0x00000000059E0000-0x0000000005A7C000-memory.dmp

memory/4540-4-0x0000000005900000-0x000000000593E000-memory.dmp

memory/4540-3-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/4540-6-0x0000000003170000-0x0000000003176000-memory.dmp

memory/4940-7-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4948-8-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4948-12-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/4540-13-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/1464-14-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/1464-15-0x00000000745B0000-0x0000000074D60000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

MD5 0551dcf55adc23a07d56580729730d50
SHA1 5d09095bde071815b26624712352a9b0cc579d16
SHA256 1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9
SHA512 6368b2ffceffc2415c1d21f5cc2107c1374b0a045ebd7181c7e1557904d44cc33b0f55380f83cf9d1693ef5d24bd1d292aa7348a72a8cefe7df7d72b0dc27b81

memory/4948-28-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/2340-27-0x00000000745B0000-0x0000000074D60000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe.log

MD5 8334a471a4b492ece225b471b8ad2fc8
SHA1 1cb24640f32d23e8f7800bd0511b7b9c3011d992
SHA256 5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169
SHA512 56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

memory/2340-35-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/1464-36-0x00000000745B0000-0x0000000074D60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp725C.tmp

MD5 364eece25949d0382cb2359417990db6
SHA1 7dfe4b87a282ea9d03195cf34d6f3ed73462904e
SHA256 97226722a9361b515cbb623c3c7cc2468a8bb79dc471376407b8f9768d0c79c4
SHA512 b6d5ed28aa504b9e0577b8acc06d25509a5c45a8e0c2794bbd1f24617c48ae9b02ce8747efa26cb222d7314113389ee5c283392a9da325203cdb337039daa971

memory/1464-39-0x00000000060E0000-0x0000000006146000-memory.dmp

memory/1464-40-0x0000000005760000-0x000000000585A000-memory.dmp

memory/1464-41-0x0000000006520000-0x00000000066E2000-memory.dmp

memory/1464-42-0x00000000063D0000-0x0000000006446000-memory.dmp

memory/1464-43-0x0000000006450000-0x00000000064A0000-memory.dmp

memory/1464-44-0x0000000006C20000-0x000000000714C000-memory.dmp

memory/1464-45-0x00000000064D0000-0x00000000064EE000-memory.dmp

memory/1464-54-0x0000000007150000-0x00000000073D0000-memory.dmp