Malware Analysis Report

2024-08-06 18:13

Sample ID 240704-t8dj5s1fqg
Target 477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c
SHA256 477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c
Tags
xenorat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c

Threat Level: Known bad

The file 477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c was found to be: Known bad.

Malicious Activity Summary

xenorat rat trojan

XenorRat

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-04 16:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 16:43

Reported

2024-07-04 17:11

Platform

win7-20240508-en

Max time kernel

143s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2368 set thread context of 2608 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 set thread context of 2124 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 set thread context of 2708 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 set thread context of 2544 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 set thread context of 2428 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 set thread context of 3000 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2368 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2608 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2608 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2608 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2608 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2488 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2124 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

"C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe"

C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "dms" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1EB7.tmp" /F

Network

Country Destination Domain Proto
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp

Files

memory/2368-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

memory/2368-1-0x0000000000BE0000-0x0000000000C20000-memory.dmp

memory/2368-2-0x0000000000460000-0x0000000000466000-memory.dmp

memory/2368-3-0x0000000000580000-0x00000000005BE000-memory.dmp

memory/2368-4-0x0000000074A00000-0x00000000750EE000-memory.dmp

memory/2368-5-0x0000000000390000-0x0000000000396000-memory.dmp

memory/2608-8-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2608-6-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2608-12-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2608-23-0x0000000074A00000-0x00000000750EE000-memory.dmp

memory/2488-32-0x0000000000D40000-0x0000000000D80000-memory.dmp

memory/2368-26-0x0000000074A00000-0x00000000750EE000-memory.dmp

memory/2608-33-0x0000000074A00000-0x00000000750EE000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

MD5 b41d067615ca60ffe4253297866d79be
SHA1 1aab2b69eb9f918d1e0a23a82a98411709ee2fdb
SHA256 477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c
SHA512 7c5b98c2e3fbdafc0949ca9d32b9c41be044f3b99052e1119472d1999442114ed60d5949929e7b14aa028c77c7adc638ee0507362ab848af7cb4612c9313e29e

memory/2124-25-0x0000000074A00000-0x00000000750EE000-memory.dmp

memory/2124-46-0x0000000074A00000-0x00000000750EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1EB7.tmp

MD5 37d8f916f69666f7b5814df290e50c2f
SHA1 d4acff3a48bb79e17a6174a012f5ab8c84c7cec2
SHA256 90dc3324a60e56d6db1f21a9a04887365a999232b2a4a7c994f8e1c3ecf9603a
SHA512 2050d02a75e01c132074014bb718392e7022d7a4d73442127cc61273a9d8e3324f0025d535b0a2c249d7f377a299e77b61ea2f821f3e4571ae4ad252071e0b10

memory/2124-49-0x0000000074A00000-0x00000000750EE000-memory.dmp

memory/2124-50-0x0000000074A00000-0x00000000750EE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 16:43

Reported

2024-07-04 17:12

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe"

Signatures

XenorRat

trojan rat xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1164 set thread context of 2816 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 set thread context of 1172 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 set thread context of 3136 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 set thread context of 4636 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 set thread context of 380 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 set thread context of 3432 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1164 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1164 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2816 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2816 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 2816 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 4936 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe
PID 1172 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1172 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1172 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

"C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe"

C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Users\Admin\AppData\Local\Temp\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 380 -ip 380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 80

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "dms" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2025.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
GB 88.221.135.27:443 www.bing.com tcp
US 8.8.8.8:53 27.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 59.170.16.2.in-addr.arpa udp
NL 91.92.248.167:1280 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
NL 91.92.248.167:1280 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
US 8.8.8.8:53 udp

Files

memory/1164-0-0x00000000750AE000-0x00000000750AF000-memory.dmp

memory/1164-1-0x00000000007B0000-0x00000000007F0000-memory.dmp

memory/1164-2-0x0000000002CB0000-0x0000000002CB6000-memory.dmp

memory/1164-3-0x00000000750A0000-0x0000000075850000-memory.dmp

memory/1164-4-0x00000000052E0000-0x000000000531E000-memory.dmp

memory/1164-5-0x000000000DE30000-0x000000000DECC000-memory.dmp

memory/1164-6-0x00000000011B0000-0x00000000011B6000-memory.dmp

memory/2816-7-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe.log

MD5 8334a471a4b492ece225b471b8ad2fc8
SHA1 1cb24640f32d23e8f7800bd0511b7b9c3011d992
SHA256 5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169
SHA512 56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

memory/2816-13-0x00000000750A0000-0x0000000075850000-memory.dmp

memory/3136-14-0x00000000750A0000-0x0000000075850000-memory.dmp

memory/1164-15-0x00000000750A0000-0x0000000075850000-memory.dmp

memory/1172-16-0x00000000750A0000-0x0000000075850000-memory.dmp

memory/1172-17-0x00000000750A0000-0x0000000075850000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c.exe

MD5 b41d067615ca60ffe4253297866d79be
SHA1 1aab2b69eb9f918d1e0a23a82a98411709ee2fdb
SHA256 477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c
SHA512 7c5b98c2e3fbdafc0949ca9d32b9c41be044f3b99052e1119472d1999442114ed60d5949929e7b14aa028c77c7adc638ee0507362ab848af7cb4612c9313e29e

memory/2816-28-0x00000000750A0000-0x0000000075850000-memory.dmp

memory/1172-35-0x00000000750A0000-0x0000000075850000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2025.tmp

MD5 37d8f916f69666f7b5814df290e50c2f
SHA1 d4acff3a48bb79e17a6174a012f5ab8c84c7cec2
SHA256 90dc3324a60e56d6db1f21a9a04887365a999232b2a4a7c994f8e1c3ecf9603a
SHA512 2050d02a75e01c132074014bb718392e7022d7a4d73442127cc61273a9d8e3324f0025d535b0a2c249d7f377a299e77b61ea2f821f3e4571ae4ad252071e0b10