Malware Analysis Report

2024-10-23 20:26

Sample ID 240901-mcnlxaydkg
Target Fixer.rar
SHA256 8c50b01988e0e4134e623d602f82c33c22add9e337cf403a590288ad95711031
Tags
xenorat discovery rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8c50b01988e0e4134e623d602f82c33c22add9e337cf403a590288ad95711031

Threat Level: Known bad

The file Fixer.rar was found to be: Known bad.

Malicious Activity Summary

xenorat discovery rat trojan

Xenorat family

XenorRat

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Browser Information Discovery

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-01 10:19

Signatures

Xenorat family

xenorat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-01 10:19

Reported

2024-09-01 10:28

Platform

win7-20240729-en

Max time kernel

199s

Max time network

317s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2136 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe
PID 2136 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe
PID 2136 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe
PID 2136 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe
PID 2036 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2036 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2036 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2036 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2092 wrote to memory of 2696 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2696 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2696 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 2916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 3032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 3032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 3032 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2092 wrote to memory of 272 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe

"C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "System-33" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAFDF.tmp" /F

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6fb9758,0x7fef6fb9768,0x7fef6fb9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1204 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1636 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2320 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2328 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2792 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1464 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3644 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3252 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2108 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1772 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1032 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=1036 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2636 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2084 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3596 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3548 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3432 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3484 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=2728 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1408 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8

Network

Country Destination Domain Proto
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com udp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
N/A 127.0.0.1:69 tcp
US 8.8.8.8:53 www.meadiafire.com udp
US 208.91.196.105:443 www.meadiafire.com tcp
US 208.91.196.105:443 www.meadiafire.com tcp
US 208.91.196.105:443 www.meadiafire.com tcp
GB 142.250.178.3:80 www.gstatic.com tcp
GB 172.217.169.67:443 beacons.gcp.gvt2.com udp
N/A 127.0.0.1:69 tcp
US 208.91.196.105:443 www.meadiafire.com tcp
US 208.91.196.105:443 www.meadiafire.com tcp
US 208.91.196.105:443 www.meadiafire.com tcp
US 208.91.196.105:443 www.meadiafire.com tcp
GB 142.250.178.3:80 www.gstatic.com tcp
US 208.91.196.105:443 www.meadiafire.com tcp
GB 142.250.179.228:443 www.google.com udp
US 208.91.196.105:443 www.meadiafire.com tcp
US 208.91.196.105:443 www.meadiafire.com tcp
US 8.8.8.8:53 www.mediafire.com udp
US 104.17.151.117:443 www.mediafire.com tcp
US 104.17.151.117:443 www.mediafire.com tcp
N/A 127.0.0.1:69 tcp
US 104.17.151.117:443 www.mediafire.com tcp
US 104.17.151.117:443 www.mediafire.com tcp
US 104.17.151.117:443 www.mediafire.com tcp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 static.mediafire.com udp
GB 216.58.201.106:443 ajax.googleapis.com tcp
US 104.17.151.117:443 static.mediafire.com tcp
US 104.17.151.117:443 static.mediafire.com tcp
US 104.17.151.117:443 static.mediafire.com tcp
US 104.17.151.117:443 static.mediafire.com tcp
US 104.17.151.117:443 static.mediafire.com tcp
US 104.17.151.117:443 static.mediafire.com tcp
US 104.17.151.117:443 static.mediafire.com tcp
US 104.17.151.117:443 static.mediafire.com tcp
US 104.17.151.117:443 static.mediafire.com tcp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 104.16.79.73:443 static.cloudflareinsights.com tcp
US 104.17.151.117:443 static.mediafire.com tcp
US 104.17.151.117:443 static.mediafire.com tcp
US 104.17.151.117:443 static.mediafire.com tcp
US 104.17.151.117:443 static.mediafire.com tcp
US 104.17.151.117:443 static.mediafire.com tcp
US 104.17.151.117:443 static.mediafire.com tcp
US 104.17.151.117:443 static.mediafire.com tcp
US 104.17.151.117:443 static.mediafire.com tcp
US 104.17.151.117:443 static.mediafire.com tcp
US 8.8.8.8:53 translate.google.com udp
GB 172.217.169.14:443 translate.google.com tcp
US 104.17.151.117:443 static.mediafire.com tcp
US 104.17.151.117:443 static.mediafire.com tcp
US 104.17.151.117:443 static.mediafire.com tcp
US 8.8.8.8:53 translate.googleapis.com udp
GB 142.250.187.202:443 translate.googleapis.com tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp

Files

memory/2136-0-0x000000007471E000-0x000000007471F000-memory.dmp

memory/2136-1-0x0000000000930000-0x0000000000942000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe

MD5 5ef7344600895b2f13d5d8e44537d946
SHA1 bdf05e86b0c923a0c1edead40cc50819b185d4c0
SHA256 50866224673bc35d89ba701eaf3e794f452fecf308e9fab36be21fe8c486a9d0
SHA512 9563e4b2c98e3ccc8b47c9739a9a74680c9782f1bd18d67c80fb5f85e6bc667df72978b3d7858ddb30ba522d574215b720a2792b7e9e6d34759d0cdc2eb43c69

memory/2036-9-0x000000007402E000-0x000000007402F000-memory.dmp

memory/2036-10-0x0000000000130000-0x0000000000142000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAFDF.tmp

MD5 2ab093f77a33e7004e362f78c87763a8
SHA1 2a4dcef9285dd583a33c1c5195cac7a37daee193
SHA256 4691f336ef4ce21e9f11416ab10393a8d4760db2025cfc0bd59acc25e018e234
SHA512 343b32e2048b259717e04dd98ef8900f3951ca79169947f1ed642b76965d95d517bd5a7878897aee21bd4350ac96aa1240e9d7e86e0fb53b05e28da716e95d3f

memory/2036-13-0x0000000074020000-0x000000007470E000-memory.dmp

memory/2036-14-0x0000000074020000-0x000000007470E000-memory.dmp

memory/2680-15-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2680-16-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2680-17-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2680-18-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

\??\pipe\crashpad_2092_VSPKZTCZQVUODOJJ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 913e4def61d919c48868f4a343d8ca85
SHA1 da6d9e7c8b861cce579b4836057bb604918fd884
SHA256 076d3788d57af46f43cb3f0f62081d604e98310273b950511c0b889ae8deec08
SHA512 08eb25423d0a99b108ba1a0648b47b06ed56f4b83e012d49affe79282b41dba80aea9f9489578925cbd2e92152662ec6dce33f85f244ec399f2109947bbabea4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0524ed74bc29de3b44a1a736b39af1d6
SHA1 3e76be7865e90cda6214951a1729c39ed519ae3a
SHA256 2fad702775fb4521d9dbb2e45f62b8df5249a54cc8ae06b114eb5d96cf9cf50c
SHA512 9be602d71e5241f259d520d52d47fc03b4e0778d33889497cb0a795607f19d1c8747994b0312bfac2cc50bbdae65c9312488785a3441f6166654ee3e0a3f05b5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\fc8d8cd1-90d4-4b93-9145-bdfbc0b4bd39.tmp

MD5 77ba4ca0a41e32a12b32e94e35c1a0bb
SHA1 f51e2cdeade3e3d0af57eb4bdbd18b914405c8d6
SHA256 5e5f8babfaf081ce7838732fa4f95669c0b141ebf2667d47a0813b388df02370
SHA512 d20184a51a45015fde18a6ff4cfc3268e7ef5101b38ffaec4d89cb48aaba68667ed4ff9e33c430ab38ca5ffc1833a5cc16e63c40f0afdde3d4c6c7818b517779

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a44858dd1695b04d7f9f6db6ba26307e
SHA1 dfee5a431e0267e2f5353609e483389588f82cbe
SHA256 b338328967ee25ae3e7b5602dbd4d2478b4843a56679d1dd72089b7c240f53fe
SHA512 7d32d68f704a153ff31bccfa08170044f0ac0329c925c86d60154d9512d49835c9d7f28779e0368dd6b8b2d366157c72b70221be129629ec5a2b5816637c1b99

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 a7adbaa390a08c4f0acbc31eafe05108
SHA1 d60ee3951ecec41c475be6623f3b835785d496d1
SHA256 64544d5e2b79957f1b05a4f6aecb4216dbe6b1ebbd10a8d3e0b169a8ec509d47
SHA512 f65e2a00ca4f3727ce4974e9cad535caf4ed1ace64e7ab9410bdfc0f2704dbcc4315d032a3d881fc670107c0f961a5725f25282a1bec89c8bb69df1bddf92929

C:\Users\Admin\AppData\Local\Temp\Cab252F.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 e97a79d27b6c848d47a057300484a961
SHA1 c9964c521d4030fe8252f144d73d8e3fcc3a19fd
SHA256 787519af7f15d9e16b7873792304b912fcecaf9199fb5998bbb9ca267bf0a6fe
SHA512 77b26469b79f05b419ef734ee825878908fc5b961ed7b704043cc3f58f74c1a57235710526ed3cd9983c71f6ec1b399a2d7a7cb9eb3ad427def7ef9e6c9e8062

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 cc66a04559056e5750827e417c20487a
SHA1 7830dbc46ec2044f39b07c62eb6e0314409919bc
SHA256 00d566ecaa85068fd69a5e449b225f270a391ec4eaaa9ab53f86ccf3e3202b64
SHA512 8bb661dc71c0d935b92caf8c2e3513d9a65c1f840964b506f7ab048a60928478936d4f28ab14fd6eb9ba40501ce046266dc576775a86e77a664490d7ce0eb368

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ef98b4831e8354fe4224cce10f830501
SHA1 8ab05cec0b56e9b7b5c4ee39978894954754d841
SHA256 c7447bb475834c43473b0565b9543cbd63d179d688a01a5a12f427decfd1c555
SHA512 5b717055f2092142e1abf568551da6cfe81e9319f49d3762000c9fd77943842d6d06f671fedba78f904690bd75c4a7c007b761770282d8a239bf333c2042fe8d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 644b3f19c7752240b386aca3aae19e96
SHA1 6abaa9206d8753ff79ad8a446be74f588408ec32
SHA256 3a74f19bd540bbf5d7a9234ea1dacd5cb4801f63f6ebb4e8cd4a18f522783f0c
SHA512 2829b1c425f088ab160b527cab8212e921063760bed4aac56b714cd9ddf7649adae8236e9f43dbcab9fa542d2185495af4e95f8b6cf232cab45921c60a7c1123

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 1aab5eeddec5a0435b8b622669860e2b
SHA1 f0b3026e115110067cc87cc87c93464420cebfa3
SHA256 7ac36da87e86d2a0e74cbadd546ad762142e22b486fdf56906fc3df9e5cde9de
SHA512 8ec8b5202eb9f3ea6e5d0aab04c1b745e3f6d44020b413f143bb19825c94b62c5368a3faab6486663ed355285257e22a9089929d38d88777f63d122037a9004d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 9dbc5398e9eede809143c515101d34d2
SHA1 d75ae74a23b3993379ef8795230f1cebc517bac3
SHA256 3164e42f2f6c7b3e833e980eb0b8767a32196d963a68f6abe573d4e11ca6d448
SHA512 45068f24bc3d6fecfbe589a99ce66bde1c26d95781427d056469f9e8d47bf4a9cb91f61786c63fb365e4b558a085a848a3b25b8d91ab42f7e43775483403f43b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 a2a0760058608e7667c64973f5c6213a
SHA1 7ad39c67347bea72e94e0d74c30364d1917d1c81
SHA256 dda6e4ec24214051e3241cfefc5f30430070d2ed1209d33effc00e17580060ca
SHA512 72a7ecf0d12e793fdd74a12420c1c13995bb2d7d24374555cb0aa8685ba1d0969b8663562b55529b7666dd98e88670e3b48718586b0e17ca47840d47acf266dc

C:\Users\Admin\AppData\Local\Temp\TarD58D.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4bb35cd0cc1a1514ec16831e9e143498
SHA1 ba49f9d485c111c32a333eb14e146ea730496c22
SHA256 212b307b6f70768cba939f1c0acacfaf726f261d30fd53220f490c61e3db11df
SHA512 8d89340cb23f9983853a4c7ad64568083a8b35af142470480e7603c23c2514278a96bf1243d59549b81e87ff09316330ddcdceedcc2c8004e64d8a3156ca0b50

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 ab5273f4bcab5d981fa808ff61652423
SHA1 f0e778475363bb55e416f0a9989e3375651be28f
SHA256 09b5c606b2b80e75e3df3f0d0dbce79bc914f74b968a369f7daf2cc27991c5e4
SHA512 a1637c30ff4e4b2262fc6023f914432050e354e1c903922deaa7c0590fde8388e4d8111145db763a86537ccba93a5fe66645ba37b073ebb5601009b392b3f964

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 658c0a9bfcbe4b310288ea4afec1b1b2
SHA1 e89505906433a3813d6f70f49f9361a0b82daca9
SHA256 7b0580168f11c656722ac6f482b9e231000fa713a2c8e05e4367bc8ffd0d15eb
SHA512 a5e476bbd499d87e8cbe23224c8fc629c00da6898409e96b192430d42e2ecfd40ebf827e1eff1ad552c33c077340c2f4035a448dd578dbc51e81125db75b8221

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\441d58b4-7d81-4a22-82fc-3bfc5ac021fc.tmp

MD5 5e4e772c27b3b8f17384d664d3f90135
SHA1 84902dcdf39810594f2db0d9d51df2cbb70befdf
SHA256 b743ddaf2fe264965e9bd363df6504ecb1b1797b5a9da4ac202835ce7d994bb9
SHA512 e1d1882e6f9481c378ca94a73311b9cc3ba7d1012d5ab979fdc13604a9fcd1061c2281e34dffd259ff3fce3b250c715204186aff84667108d468ab90a86a4af9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6fe27b1fd96525a4a6d500672c063121
SHA1 fa5c21998b643b4c3239bd092d41292b662518ca
SHA256 fe39c4e9b259d95ef7ed3858217d1ca0ff768e5a8640be62c47a5820dbbdbccc
SHA512 b9afae11cb06df21bfe6ac9fe280d61b6bc97281432f8d75c48dc323ce2f495bf12f81fea7c04c62537d041e39dfdbd3069e19f5c6ca1cfca6600aea04f4295a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 7846d5f5a4c13dcec215d8d27eac98e3
SHA1 0fd729afb1c5eafef3d63731a758aff102aef355
SHA256 d9cb8546190623662b87d952078d23b2509515367225d9aef06ba5dff7dcde58
SHA512 3b94b983485ced3bb4e1006b65fd7d45ac92009034aaf9f796f262069cbcaf094ef83f498dad849e251e145d87dd66cb9db1e3eb43235079c18c4d1206db9580

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 715bde5af4dbd15b46825ebf6988ed26
SHA1 db1c72d954ba4cf51af068af1908658150b4a944
SHA256 b58ff602bc5a69b895690822cd46595f5f70e08d68171b305c38defecdd846a9
SHA512 106d1edd41a13777f1a7b76d60a20b98fd9715c955599a8b9087917e3849a839edb508635c0cc5f8dd25a1d0f5ffb6b8e358c608c9aba49ce2ba162ad84f1dec

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-01 10:19

Reported

2024-09-01 10:24

Platform

win10v2004-20240802-en

Max time kernel

293s

Max time network

205s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe"

Signatures

XenorRat

trojan rat xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe

"C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "System-33" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB5D3.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp
N/A 127.0.0.1:69 tcp

Files

memory/404-0-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

memory/404-1-0x00000000003E0000-0x00000000003F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe

MD5 5ef7344600895b2f13d5d8e44537d946
SHA1 bdf05e86b0c923a0c1edead40cc50819b185d4c0
SHA256 50866224673bc35d89ba701eaf3e794f452fecf308e9fab36be21fe8c486a9d0
SHA512 9563e4b2c98e3ccc8b47c9739a9a74680c9782f1bd18d67c80fb5f85e6bc667df72978b3d7858ddb30ba522d574215b720a2792b7e9e6d34759d0cdc2eb43c69

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Fixer.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/3724-16-0x0000000074E70000-0x0000000075620000-memory.dmp

memory/3724-17-0x0000000074E70000-0x0000000075620000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB5D3.tmp

MD5 2ab093f77a33e7004e362f78c87763a8
SHA1 2a4dcef9285dd583a33c1c5195cac7a37daee193
SHA256 4691f336ef4ce21e9f11416ab10393a8d4760db2025cfc0bd59acc25e018e234
SHA512 343b32e2048b259717e04dd98ef8900f3951ca79169947f1ed642b76965d95d517bd5a7878897aee21bd4350ac96aa1240e9d7e86e0fb53b05e28da716e95d3f

memory/3724-19-0x0000000074E70000-0x0000000075620000-memory.dmp