Malware Analysis Report

2024-10-19 07:50

Sample ID 240819-r943datfpr
Target 0ecb6966a5dc7138bd15bde42ed8afb0N.exe
SHA256 8134112787a6bc8495d55a81f935b8ac3292b221f61aad14ee94c1f86d2572c9
Tags
xenorat discovery rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8134112787a6bc8495d55a81f935b8ac3292b221f61aad14ee94c1f86d2572c9

Threat Level: Known bad

The file 0ecb6966a5dc7138bd15bde42ed8afb0N.exe was found to be: Known bad.

Malicious Activity Summary

xenorat discovery rat trojan

XenorRat

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-19 14:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-19 14:54

Reported

2024-08-19 14:57

Platform

win7-20240705-en

Max time kernel

144s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe"

Signatures

XenorRat

trojan rat xenorat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2040 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2040 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2040 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2040 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2040 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2040 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2040 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2040 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2040 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2040 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2040 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2040 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2040 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2040 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2040 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2040 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2040 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2280 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2280 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2280 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2280 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2856 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2856 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2856 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2856 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2856 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2856 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2856 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2856 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2856 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2856 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2856 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2856 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2856 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2856 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2856 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2856 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2856 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2856 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2684 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe

"C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe"

C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe

C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe

C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe

C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe

C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe

C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe

C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe

C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "ace" /XML "C:\Users\Admin\AppData\Local\Temp\tmp168.tmp" /F

Network

Country Destination Domain Proto
NL 45.66.231.26:1356 tcp
NL 45.66.231.26:1356 tcp
NL 45.66.231.26:1356 tcp
NL 45.66.231.26:1356 tcp
NL 45.66.231.26:1356 tcp
NL 45.66.231.26:1356 tcp

Files

memory/2040-0-0x000000007459E000-0x000000007459F000-memory.dmp

memory/2040-1-0x00000000000E0000-0x0000000000124000-memory.dmp

memory/2040-2-0x0000000000310000-0x0000000000316000-memory.dmp

memory/2040-3-0x0000000074590000-0x0000000074C7E000-memory.dmp

memory/2040-4-0x0000000000560000-0x000000000059C000-memory.dmp

memory/2040-5-0x0000000000450000-0x0000000000456000-memory.dmp

memory/2280-7-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2280-12-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2280-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2280-15-0x0000000074590000-0x0000000074C7E000-memory.dmp

memory/2040-14-0x0000000074590000-0x0000000074C7E000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe

MD5 0ecb6966a5dc7138bd15bde42ed8afb0
SHA1 a9fb9c5d41775f19bb298d9cc07fbc67ec83c4ca
SHA256 8134112787a6bc8495d55a81f935b8ac3292b221f61aad14ee94c1f86d2572c9
SHA512 bd5e9c0a9e675ce4881db3ec6ecf17f323a1d72eb31c7d84532086b95965fd8aa1a87520eee284379ceb767d29803ed3e94b7e76d3da011a936cdb264b6140db

memory/2856-22-0x0000000000130000-0x0000000000174000-memory.dmp

memory/2280-23-0x0000000074590000-0x0000000074C7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp168.tmp

MD5 58e6bbdbd2c03841b9a8b06980f30da7
SHA1 eeb7641bb206e1ff4c7ed75fcf21e600a0cbde1d
SHA256 74abca5202eeac16ca9d153ad201f55ef9ce85a9a72992eac02e7f54f9147659
SHA512 b604c3f6af62e08e60c1a46191b5f0421796614c929eaf61a3fb8497f298c26461d6adcafe387a848a772a82f7f752184448f1e0aceb7317086218f89b90ec27

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-19 14:54

Reported

2024-08-19 14:57

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe"

Signatures

XenorRat

trojan rat xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4848 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4848 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4848 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4848 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4848 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4848 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4848 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4848 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4848 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4848 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4848 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4848 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4848 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4848 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4848 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4848 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 3628 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 3628 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 3628 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4708 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4708 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4708 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4708 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4708 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4708 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4708 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4708 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4708 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4708 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4708 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4708 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4708 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4708 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4708 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 4708 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
PID 2508 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe

"C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe"

C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe

C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe

C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe

C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe

C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe

C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe

C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe

C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "ace" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5176.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 45.66.231.26:1356 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 45.66.231.26:1356 tcp
NL 45.66.231.26:1356 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
NL 45.66.231.26:1356 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 45.66.231.26:1356 tcp
NL 45.66.231.26:1356 tcp
NL 45.66.231.26:1356 tcp

Files

memory/4848-0-0x000000007522E000-0x000000007522F000-memory.dmp

memory/4848-1-0x00000000006D0000-0x0000000000714000-memory.dmp

memory/4848-2-0x0000000005040000-0x0000000005046000-memory.dmp

memory/4848-3-0x0000000075220000-0x00000000759D0000-memory.dmp

memory/4848-4-0x00000000050F0000-0x000000000512C000-memory.dmp

memory/4848-5-0x000000000DD70000-0x000000000DE0C000-memory.dmp

memory/4848-6-0x000000000E3C0000-0x000000000E964000-memory.dmp

memory/4848-7-0x000000000DE10000-0x000000000DEA2000-memory.dmp

memory/4848-8-0x0000000002A10000-0x0000000002A16000-memory.dmp

memory/3628-9-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0ecb6966a5dc7138bd15bde42ed8afb0N.exe.log

MD5 d95c58e609838928f0f49837cab7dfd2
SHA1 55e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA256 0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512 405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

memory/3628-14-0x0000000075220000-0x00000000759D0000-memory.dmp

memory/2508-16-0x0000000075220000-0x00000000759D0000-memory.dmp

memory/4848-15-0x0000000075220000-0x00000000759D0000-memory.dmp

memory/2508-17-0x0000000075220000-0x00000000759D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe

MD5 0ecb6966a5dc7138bd15bde42ed8afb0
SHA1 a9fb9c5d41775f19bb298d9cc07fbc67ec83c4ca
SHA256 8134112787a6bc8495d55a81f935b8ac3292b221f61aad14ee94c1f86d2572c9
SHA512 bd5e9c0a9e675ce4881db3ec6ecf17f323a1d72eb31c7d84532086b95965fd8aa1a87520eee284379ceb767d29803ed3e94b7e76d3da011a936cdb264b6140db

memory/3628-29-0x0000000075220000-0x00000000759D0000-memory.dmp

memory/4708-28-0x0000000075220000-0x00000000759D0000-memory.dmp

memory/4708-34-0x0000000075220000-0x00000000759D0000-memory.dmp

memory/2508-35-0x0000000075220000-0x00000000759D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5176.tmp

MD5 4709b3c4e44618aa0e9f4e74cc0a5d70
SHA1 27a34945f5a2e2e4b7cffd048f6f48e67d1b2cb2
SHA256 c6b2e616991e91b4db617474617d3085e7394150ddaa7ef332c89bf1b8172021
SHA512 41c343928c4e336baa51b10f589442946145246de1743ecdba4a7ff4cdc70852f208b01ccd24a116a6a59e6f56078c1b8ec2f3e3fd6c3a10e72238919aceff17