Malware Analysis Report

2024-10-23 20:26

Sample ID 240904-kybs5axclj
Target Bakiye Odemesi.exe
SHA256 66769b2562d5f335a8ea0279d98cfedfb1b1f980006d70f0a9aaf498235b97f5
Tags
xenorat discovery rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

66769b2562d5f335a8ea0279d98cfedfb1b1f980006d70f0a9aaf498235b97f5

Threat Level: Known bad

The file Bakiye Odemesi.exe was found to be: Known bad.

Malicious Activity Summary

xenorat discovery rat trojan

XenorRat

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-04 09:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-04 09:00

Reported

2024-09-04 09:02

Platform

win7-20240903-en

Max time kernel

144s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe"

Signatures

XenorRat

trojan rat xenorat

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2744 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 2744 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 2744 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 2744 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 2744 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 2744 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 2744 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 2744 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 2744 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 2744 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 2744 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 2744 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 2744 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 2744 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 2744 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 2744 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 2744 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 2744 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 2364 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 2364 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 2364 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 2364 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 2548 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 2548 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 2548 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 2548 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 2548 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 2548 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 2548 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 2548 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 2548 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 2548 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 2548 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 2548 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 2548 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 2548 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 2548 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 2548 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 2548 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 2548 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 2820 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe

"C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe"

C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe

"C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe"

C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe

"C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "crsr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAFA0.tmp" /F

Network

Country Destination Domain Proto
US 154.216.17.155:1357 tcp
US 154.216.17.155:1357 tcp
US 154.216.17.155:1357 tcp
US 154.216.17.155:1357 tcp
US 154.216.17.155:1357 tcp
US 154.216.17.155:1357 tcp
US 154.216.17.155:1357 tcp
US 154.216.17.155:1357 tcp
US 154.216.17.155:1357 tcp

Files

memory/2744-0-0x00000000748EE000-0x00000000748EF000-memory.dmp

memory/2744-1-0x0000000000FC0000-0x0000000001016000-memory.dmp

memory/2744-2-0x00000000004F0000-0x00000000004F6000-memory.dmp

memory/2744-4-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2744-3-0x0000000000B30000-0x0000000000B7C000-memory.dmp

memory/2744-5-0x00000000005E0000-0x00000000005E6000-memory.dmp

memory/2364-8-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2364-6-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2364-16-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2364-18-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2820-19-0x00000000748E0000-0x0000000074FCE000-memory.dmp

\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe

MD5 24e9bc794e235d1c01d3a8e64352c9bf
SHA1 e3cfd7882fd7e2b05beeaa61637c1f53493710ce
SHA256 66769b2562d5f335a8ea0279d98cfedfb1b1f980006d70f0a9aaf498235b97f5
SHA512 2180ca9ec3482c8f92ee4b144a82c15f79ba078a7931dbd96fa7deb411d56ef2021c4c1bce2236dbb7a4a1eba51186a8cda1288e6c3072895c256c7b48bec673

memory/2744-23-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2548-28-0x0000000000950000-0x00000000009A6000-memory.dmp

memory/2364-27-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2820-37-0x00000000748E0000-0x0000000074FCE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAFA0.tmp

MD5 406ff4d74ba6f1b66e20edd337240d35
SHA1 02e7dc3c9e657ec64214781012dd77bf667d5c1e
SHA256 d21d99ef59f519351e544fd63e7c999ddac53f52085d376138a6c98fe14f0bf6
SHA512 32e5adc639e5758646ea036f26fac6b5fa45d30f2ae89263465edadf6412b774732cca917f9b05415794d2cc0e674183b7709df7a3ab63c6ded0abb2e4eeac44

memory/2820-40-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2820-41-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-04 09:00

Reported

2024-09-04 09:02

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe"

Signatures

XenorRat

trojan rat xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4876 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 4876 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 4876 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 4876 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 4876 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 4876 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 4876 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 4876 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 4876 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 4876 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 4876 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 4876 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 4876 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 4876 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 4876 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 4876 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe
PID 1868 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 1868 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 1868 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 216 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 216 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 216 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 216 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 216 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 216 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 216 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 216 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 216 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 216 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 216 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 216 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 216 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 216 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 216 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 216 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe
PID 3592 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Windows\SysWOW64\schtasks.exe
PID 3592 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Windows\SysWOW64\schtasks.exe
PID 3592 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe

"C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe"

C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe

"C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe"

C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe

"C:\Users\Admin\AppData\Local\Temp\Bakiye Odemesi.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "crsr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3B6E.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 88.238.56.23.in-addr.arpa udp
US 154.216.17.155:1357 tcp
US 154.216.17.155:1357 tcp
US 154.216.17.155:1357 tcp
US 154.216.17.155:1357 tcp
US 154.216.17.155:1357 tcp
US 154.216.17.155:1357 tcp
US 154.216.17.155:1357 tcp
US 154.216.17.155:1357 tcp

Files

memory/4876-0-0x000000007466E000-0x000000007466F000-memory.dmp

memory/4876-1-0x0000000000A00000-0x0000000000A56000-memory.dmp

memory/4876-2-0x0000000002DF0000-0x0000000002DF6000-memory.dmp

memory/4876-3-0x00000000053B0000-0x00000000053FC000-memory.dmp

memory/4876-5-0x00000000079A0000-0x0000000007A3C000-memory.dmp

memory/4876-4-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/4876-6-0x0000000007FF0000-0x0000000008594000-memory.dmp

memory/4876-7-0x0000000007A40000-0x0000000007AD2000-memory.dmp

memory/4876-8-0x00000000054E0000-0x00000000054E6000-memory.dmp

memory/3592-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3592-13-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/4876-14-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/1868-15-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/3592-16-0x0000000074660000-0x0000000074E10000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\Bakiye Odemesi.exe

MD5 24e9bc794e235d1c01d3a8e64352c9bf
SHA1 e3cfd7882fd7e2b05beeaa61637c1f53493710ce
SHA256 66769b2562d5f335a8ea0279d98cfedfb1b1f980006d70f0a9aaf498235b97f5
SHA512 2180ca9ec3482c8f92ee4b144a82c15f79ba078a7931dbd96fa7deb411d56ef2021c4c1bce2236dbb7a4a1eba51186a8cda1288e6c3072895c256c7b48bec673

memory/216-28-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/1868-29-0x0000000074660000-0x0000000074E10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bakiye Odemesi.exe.log

MD5 d95c58e609838928f0f49837cab7dfd2
SHA1 55e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA256 0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512 405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

memory/216-34-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/3592-35-0x0000000074660000-0x0000000074E10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3B6E.tmp

MD5 406ff4d74ba6f1b66e20edd337240d35
SHA1 02e7dc3c9e657ec64214781012dd77bf667d5c1e
SHA256 d21d99ef59f519351e544fd63e7c999ddac53f52085d376138a6c98fe14f0bf6
SHA512 32e5adc639e5758646ea036f26fac6b5fa45d30f2ae89263465edadf6412b774732cca917f9b05415794d2cc0e674183b7709df7a3ab63c6ded0abb2e4eeac44