xenorat | 314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a

Analysis

max time kernel
150s
max time network
159s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
26-07-2024 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
Size

251KB
MD5

a19fec1543d46acedb157ed4c17da068
SHA1

d50111c5a5e68da910859547d95ed9bf0ffdc79f
SHA256

314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a
SHA512

18b9b4e50fa80b6fd2c4622cb260154238693bfeb06bc12738245f912b7e2151502524ca5805f70b1d7f2492a8cc664f0caace0ecdae62188467346788e111f3
SSDEEP

6144:RrhjV4Q63rq/vWq93ptqNjzsMzDFmacKtC7zK5c97Cm7I:Blh6bqWqZ34Hn/FTcDzK5c97Cms

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

45.66.231.63

Mutex

Holid_rat_nd8859g

Attributes

delay
60400
install_path
appdata
port
1243
startup_name
HDdisplay

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Executes dropped EXE 5 IoCs

pid	Process
3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
2308	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
3352	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
4300	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
4808	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 972 set thread context of 1880	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	82
PID 972 set thread context of 1188	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	83
PID 972 set thread context of 4572	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	84
PID 972 set thread context of 1852	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	85
PID 3924 set thread context of 2308	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	87
PID 3924 set thread context of 3352	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	88
PID 3924 set thread context of 4300	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	89
PID 3924 set thread context of 4808	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2404	4300	WerFault.exe	89
1492	2308	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2300	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
Token: SeDebugPrivilege	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 972 wrote to memory of 1880	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	82
PID 972 wrote to memory of 1880	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	82
PID 972 wrote to memory of 1880	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	82
PID 972 wrote to memory of 1880	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	82
PID 972 wrote to memory of 1880	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	82
PID 972 wrote to memory of 1880	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	82
PID 972 wrote to memory of 1880	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	82
PID 972 wrote to memory of 1880	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	82
PID 972 wrote to memory of 1188	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	83
PID 972 wrote to memory of 1188	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	83
PID 972 wrote to memory of 1188	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	83
PID 972 wrote to memory of 1188	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	83
PID 972 wrote to memory of 1188	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	83
PID 972 wrote to memory of 1188	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	83
PID 972 wrote to memory of 1188	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	83
PID 972 wrote to memory of 1188	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	83
PID 972 wrote to memory of 4572	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	84
PID 972 wrote to memory of 4572	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	84
PID 972 wrote to memory of 4572	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	84
PID 972 wrote to memory of 4572	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	84
PID 972 wrote to memory of 4572	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	84
PID 972 wrote to memory of 4572	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	84
PID 972 wrote to memory of 4572	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	84
PID 972 wrote to memory of 4572	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	84
PID 972 wrote to memory of 1852	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	85
PID 972 wrote to memory of 1852	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	85
PID 972 wrote to memory of 1852	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	85
PID 972 wrote to memory of 1852	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	85
PID 972 wrote to memory of 1852	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	85
PID 972 wrote to memory of 1852	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	85
PID 972 wrote to memory of 1852	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	85
PID 972 wrote to memory of 1852	972	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	85
PID 1880 wrote to memory of 3924	1880	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	86
PID 1880 wrote to memory of 3924	1880	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	86
PID 1880 wrote to memory of 3924	1880	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	86
PID 3924 wrote to memory of 2308	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	87
PID 3924 wrote to memory of 2308	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	87
PID 3924 wrote to memory of 2308	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	87
PID 3924 wrote to memory of 2308	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	87
PID 3924 wrote to memory of 2308	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	87
PID 3924 wrote to memory of 2308	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	87
PID 3924 wrote to memory of 2308	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	87
PID 3924 wrote to memory of 2308	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	87
PID 3924 wrote to memory of 3352	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	88
PID 3924 wrote to memory of 3352	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	88
PID 3924 wrote to memory of 3352	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	88
PID 3924 wrote to memory of 3352	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	88
PID 3924 wrote to memory of 3352	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	88
PID 3924 wrote to memory of 3352	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	88
PID 3924 wrote to memory of 3352	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	88
PID 3924 wrote to memory of 3352	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	88
PID 3924 wrote to memory of 4300	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	89
PID 3924 wrote to memory of 4300	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	89
PID 3924 wrote to memory of 4300	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	89
PID 3924 wrote to memory of 4300	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	89
PID 3924 wrote to memory of 4300	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	89
PID 3924 wrote to memory of 4300	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	89
PID 3924 wrote to memory of 4300	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	89
PID 3924 wrote to memory of 4300	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	89
PID 3924 wrote to memory of 4808	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	91
PID 3924 wrote to memory of 4808	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	91
PID 3924 wrote to memory of 4808	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	91
PID 3924 wrote to memory of 4808	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	91
PID 3924 wrote to memory of 4808	3924	314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe	91

C:\Users\Admin\AppData\Local\Temp\314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
"C:\Users\Admin\AppData\Local\Temp\314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972
- C:\Users\Admin\AppData\Local\Temp\314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
  C:\Users\Admin\AppData\Local\Temp\314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Users\Admin\AppData\Roaming\XenoManager\314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Users\Admin\AppData\Roaming\XenoManager\314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
      C:\Users\Admin\AppData\Roaming\XenoManager\314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
      4⤵
      Executes dropped EXE
      PID:2308
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 92
        5⤵
        Program crash
        
        PID:1492
  - - C:\Users\Admin\AppData\Roaming\XenoManager\314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
      C:\Users\Admin\AppData\Roaming\XenoManager\314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3352
  - - C:\Users\Admin\AppData\Roaming\XenoManager\314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
      C:\Users\Admin\AppData\Roaming\XenoManager\314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
      4⤵
      Executes dropped EXE
      PID:4300
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 28
        5⤵
        Program crash
        
        PID:2404
  - - C:\Users\Admin\AppData\Roaming\XenoManager\314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
      C:\Users\Admin\AppData\Roaming\XenoManager\314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4808
- C:\Users\Admin\AppData\Local\Temp\314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
  C:\Users\Admin\AppData\Local\Temp\314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1188
- C:\Users\Admin\AppData\Local\Temp\314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
  C:\Users\Admin\AppData\Local\Temp\314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4572
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "HDdisplay" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDBD4.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2300
- C:\Users\Admin\AppData\Local\Temp\314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
  C:\Users\Admin\AppData\Local\Temp\314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4300 -ip 4300
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2308 -ip 2308
1⤵
PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe.log

Filesize
706B

MD5
80305b9a250a27091f46fa147674ffb3

SHA1
81b485761494618e4c8bba9af56c29b2ea8e8a07

SHA256
d9febc24cdfe2a616fff0e891fb055951aad00be6d57b0bc3cf8f4f643c5f6ae

SHA512
52544d526e83ae2a71d63768457435dbe79843a76146f60b7e41ec7b53ddb620323592325e19d6776b92b7e1fbb8dc79db85e94a30d970f0983563456ccd7a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDBD4.tmp

Filesize
1KB

MD5
3edf5580bbe57d902ebeb744acf2bc96

SHA1
9b218f207a38009c9fb5a402b23e9706ea4d9404

SHA256
f12d5c9a0e1475762042516341d1b59bc1dfc415b19718b5f859f99693063e6c

SHA512
a3a75d9a3812f7d38b9f411db4146c8c31c934f33925c3a26ae64a2646929b1b2abde12bc582984b1fd9724870ed8fb5d01f8862ca1b4369ff01b840ecce8252

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a.exe

Filesize
251KB

MD5
a19fec1543d46acedb157ed4c17da068

SHA1
d50111c5a5e68da910859547d95ed9bf0ffdc79f

SHA256
314dd9f3d257729323aa2dfaaf312b7cd54dbcc2214721eea0863a9b6353cf7a

SHA512
18b9b4e50fa80b6fd2c4622cb260154238693bfeb06bc12738245f912b7e2151502524ca5805f70b1d7f2492a8cc664f0caace0ecdae62188467346788e111f3

Download Submit
memory/972-8-0x0000000002730000-0x0000000002736000-memory.dmp

Filesize
24KB

Download
memory/972-18-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/972-5-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/972-6-0x00000000055C0000-0x0000000005B66000-memory.dmp

Filesize
5.6MB

Download
memory/972-7-0x0000000005010000-0x00000000050A2000-memory.dmp

Filesize
584KB

Download
memory/972-0-0x00000000750AE000-0x00000000750AF000-memory.dmp

Filesize
4KB

Download
memory/972-1-0x0000000000140000-0x0000000000188000-memory.dmp

Filesize
288KB

Download
memory/972-2-0x00000000026D0000-0x00000000026D6000-memory.dmp

Filesize
24KB

Download
memory/972-3-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/972-4-0x0000000004F70000-0x000000000500C000-memory.dmp

Filesize
624KB

Download
memory/1188-17-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/1188-39-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/1880-14-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/1880-29-0x00000000750A0000-0x0000000075851000-memory.dmp

Filesize
7.7MB

Download
memory/1880-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads