Malware Analysis Report

2024-08-06 18:13

Sample ID 240704-vd4zaa1gqg
Target 6621fcab4de5fab7eac4d8d03c87f233.bin
SHA256 d43587c87eacc8e66d9108b021859c515486308011a1f9eea7c3f0bc42f018f2
Tags
xenorat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d43587c87eacc8e66d9108b021859c515486308011a1f9eea7c3f0bc42f018f2

Threat Level: Known bad

The file 6621fcab4de5fab7eac4d8d03c87f233.bin was found to be: Known bad.

Malicious Activity Summary

xenorat rat trojan

XenorRat

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-04 16:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 16:53

Reported

2024-07-04 17:11

Platform

win7-20240508-en

Max time kernel

144s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1616 set thread context of 2068 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 set thread context of 3012 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 set thread context of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 set thread context of 2532 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 set thread context of 2488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 set thread context of 2516 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1616 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1616 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 3012 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 3012 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 3012 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 3012 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2604 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2596 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2596 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2596 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2596 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

"C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe"

C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "cms" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4F0.tmp" /F

Network

Country Destination Domain Proto
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp

Files

memory/1616-0-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

memory/1616-1-0x0000000000FF0000-0x000000000102C000-memory.dmp

memory/1616-2-0x0000000000270000-0x0000000000276000-memory.dmp

memory/1616-3-0x0000000000470000-0x00000000004AA000-memory.dmp

memory/1616-4-0x0000000074E60000-0x000000007554E000-memory.dmp

memory/1616-5-0x0000000000290000-0x0000000000296000-memory.dmp

memory/3012-7-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3012-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3012-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1616-19-0x0000000074E60000-0x000000007554E000-memory.dmp

memory/3012-18-0x0000000074E60000-0x000000007554E000-memory.dmp

memory/2596-20-0x0000000074E60000-0x000000007554E000-memory.dmp

\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

MD5 6621fcab4de5fab7eac4d8d03c87f233
SHA1 70dd77e26e803239877b30439eb123454bc137cc
SHA256 ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2
SHA512 d132d2399c65b6b0083f7172c04d4708b28b3deceb93fd0c5dfc5bcfdfd9ee459c5b46853d176e08e99a2a8842945e6cd396e4137fac430c67abea388e83789c

memory/3012-27-0x0000000074E60000-0x000000007554E000-memory.dmp

memory/2604-28-0x0000000000880000-0x00000000008BC000-memory.dmp

memory/2596-42-0x0000000074E60000-0x000000007554E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4F0.tmp

MD5 83d6e89b8754d25b433641acaa2a66eb
SHA1 f89d5bdae947ac5cb70fc2ab675b48081d9b0732
SHA256 5616a5762d790c9d6f881095099a0adae1b5f2dee34ec1909e823d851a28f5d0
SHA512 fb805ced008dc025a0e851ed0075fbc7f9f65a667e82fe68a8f434490f476d1a5bceebaadedf726ac5447f7ccfbd91ef19669ef499150960c9d4b0204cbef97f

memory/2596-45-0x0000000074E60000-0x000000007554E000-memory.dmp

memory/2596-46-0x0000000074E60000-0x000000007554E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 16:53

Reported

2024-07-04 17:11

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe"

Signatures

XenorRat

trojan rat xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1260 set thread context of 5000 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 set thread context of 772 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 set thread context of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 set thread context of 2592 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 set thread context of 2120 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 set thread context of 4044 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1260 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1940 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1940 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1940 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 1012 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe
PID 2592 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2592 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2592 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

"C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe"

C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Users\Admin\AppData\Local\Temp\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5000 -ip 5000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 772 -ip 772

C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 80

C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "cms" /XML "C:\Users\Admin\AppData\Local\Temp\tmp31C9.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 121.170.16.2.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp
NL 91.92.248.167:1280 tcp

Files

memory/1260-0-0x00000000750EE000-0x00000000750EF000-memory.dmp

memory/1260-1-0x0000000000FC0000-0x0000000000FFC000-memory.dmp

memory/1260-2-0x00000000057F0000-0x00000000057F6000-memory.dmp

memory/1260-3-0x000000000E3D0000-0x000000000E40A000-memory.dmp

memory/1260-4-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/1260-5-0x000000000E4B0000-0x000000000E54C000-memory.dmp

memory/1260-6-0x000000000EB00000-0x000000000F0A4000-memory.dmp

memory/1260-7-0x000000000E5F0000-0x000000000E682000-memory.dmp

memory/1260-8-0x00000000052A0000-0x00000000052A6000-memory.dmp

memory/772-10-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe.log

MD5 d95c58e609838928f0f49837cab7dfd2
SHA1 55e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA256 0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512 405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

memory/1940-15-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/1260-16-0x00000000750E0000-0x0000000075890000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2.exe

MD5 6621fcab4de5fab7eac4d8d03c87f233
SHA1 70dd77e26e803239877b30439eb123454bc137cc
SHA256 ac781121f63db7be4e5c79ea106118ce2c7a06f0abef01be3e54ff77351691e2
SHA512 d132d2399c65b6b0083f7172c04d4708b28b3deceb93fd0c5dfc5bcfdfd9ee459c5b46853d176e08e99a2a8842945e6cd396e4137fac430c67abea388e83789c

memory/1940-27-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/1012-28-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/1012-29-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/2592-34-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/1012-37-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/2592-38-0x00000000750E0000-0x0000000075890000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp31C9.tmp

MD5 4612375ad605d10e79d882b7afc296ca
SHA1 fb4e4ece5c24ac82dc682c074a6512c0f658b9cb
SHA256 6a61e18e644a02a278465f91e5ced51e2aeba0d3a8aff0e347dc78275e32eedb
SHA512 4e4ad525b7b69d6ccc33b1d77d077c56df86cd7ba7cf5f02cfc78c1035f611d16249d5cedbd24297db5fcb1f4082e6aab60c447670f4996003fee77fd44478cb