xenorat | e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd

Analysis

max time kernel
405s
max time network
408s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 16:39

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

xeno rat server.exe
Size

2.0MB
MD5

3987ee127f2a2cf8a29573d4e111a8e8
SHA1

fc253131e832297967f93190217f0ce403e38cb0
SHA256

3d00a800474ddf382212e003222805bd74665b69cec43b554f91c3cd9edf04c4
SHA512

69d5ac7a691dde1a3ed7f495e9b9180e63152ddaaa3d1b596ad9cbeb4d7b088f3fc4b138ecf87070014cdfa9047be18940b720de60642389921a10053250787b
SSDEEP

49152:EnxkNTRWjxoJochWQI3kqXfd+/9AManGhR0vNgtIeGWtOc5Q:ExkNTcaJhDI3kqXf0FtWykQDCiQ

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
svchost

Signatures

Detect XenoRat Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023dc5-27.dat	family_xenorat
behavioral1/memory/1500-29-0x0000000000FD0000-0x0000000000FE2000-memory.dmp	family_xenorat
behavioral1/memory/4148-49-0x00000000017E0000-0x00000000017F2000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	iiwdjajidw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 2 IoCs

pid	Process
1500	iiwdjajidw.exe
4148	iiwdjajidw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iiwdjajidw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iiwdjajidw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\TypedURLs	rundll32.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "226"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 44 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000004759e5491100557365727300640009000400efbe874f7748385aea842e000000c70500000000010000000000000000003a000000000027162a0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	xeno rat server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 7e003100000000004759495111004465736b746f7000680009000400efbe4759e549475949512e00000065e101000000010000000000000000003e0000000000164150004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	xeno rat server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	xeno rat server.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4089630652-1596403869-279772308-1000\{AFD90484-EC37-47BF-B3A3-6B97AEF46475}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000004759ee51100041646d696e003c0009000400efbe4759e549385aea842e0000005be1010000000100000000000000000000000000000075eb8100410064006d0069006e00000014000000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	xeno rat server.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe
4148	iiwdjajidw.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4844	xeno rat server.exe
4148	iiwdjajidw.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4148	iiwdjajidw.exe
Token: SeDebugPrivilege	4844	xeno rat server.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4844	xeno rat server.exe
3932	msedge.exe
3932	msedge.exe
1928	rundll32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4844	xeno rat server.exe
4844	xeno rat server.exe
1928	rundll32.exe
4888	LogonUI.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 4148	1500	iiwdjajidw.exe	93
PID 1500 wrote to memory of 4148	1500	iiwdjajidw.exe	93
PID 1500 wrote to memory of 4148	1500	iiwdjajidw.exe	93
PID 4148 wrote to memory of 3836	4148	iiwdjajidw.exe	95
PID 4148 wrote to memory of 3836	4148	iiwdjajidw.exe	95
PID 4148 wrote to memory of 3836	4148	iiwdjajidw.exe	95
PID 4148 wrote to memory of 3932	4148	iiwdjajidw.exe	98
PID 4148 wrote to memory of 3932	4148	iiwdjajidw.exe	98
PID 3932 wrote to memory of 4672	3932	msedge.exe	99
PID 3932 wrote to memory of 4672	3932	msedge.exe	99
PID 3932 wrote to memory of 2312	3932	msedge.exe	100
PID 3932 wrote to memory of 2312	3932	msedge.exe	100
PID 3932 wrote to memory of 3432	3932	msedge.exe	101
PID 3932 wrote to memory of 3432	3932	msedge.exe	101
PID 3932 wrote to memory of 4220	3932	msedge.exe	102
PID 3932 wrote to memory of 4220	3932	msedge.exe	102
PID 3932 wrote to memory of 2496	3932	msedge.exe	103
PID 3932 wrote to memory of 2496	3932	msedge.exe	103
PID 3932 wrote to memory of 3872	3932	msedge.exe	104
PID 3932 wrote to memory of 3872	3932	msedge.exe	104
PID 3932 wrote to memory of 4532	3932	msedge.exe	106
PID 3932 wrote to memory of 4532	3932	msedge.exe	106
PID 3932 wrote to memory of 4860	3932	msedge.exe	107
PID 3932 wrote to memory of 4860	3932	msedge.exe	107
PID 3932 wrote to memory of 2884	3932	msedge.exe	108
PID 3932 wrote to memory of 2884	3932	msedge.exe	108
PID 3932 wrote to memory of 3392	3932	msedge.exe	109
PID 3932 wrote to memory of 3392	3932	msedge.exe	109
PID 3932 wrote to memory of 2788	3932	msedge.exe	110
PID 3932 wrote to memory of 2788	3932	msedge.exe	110
PID 3932 wrote to memory of 1312	3932	msedge.exe	111
PID 3932 wrote to memory of 1312	3932	msedge.exe	111
PID 4148 wrote to memory of 1928	4148	iiwdjajidw.exe	114
PID 4148 wrote to memory of 1928	4148	iiwdjajidw.exe	114
PID 4148 wrote to memory of 1928	4148	iiwdjajidw.exe	114
PID 1928 wrote to memory of 1004	1928	rundll32.exe	115
PID 1928 wrote to memory of 1004	1928	rundll32.exe	115
PID 1928 wrote to memory of 1004	1928	rundll32.exe	115

C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe
"C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4844

C:\Users\Admin\Desktop\iiwdjajidw.exe
"C:\Users\Admin\Desktop\iiwdjajidw.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Roaming\XenoManager\iiwdjajidw.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\iiwdjajidw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "svchost" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2333.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --user-data-dir=C:\EdgeAutomationData
    3⤵
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\EdgeAutomationData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\EdgeAutomationData\Crashpad --metrics-dir=C:\EdgeAutomationData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9f2b746f8,0x7ff9f2b74708,0x7ff9f2b74718
      4⤵
      PID:4672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,6689595439498484122,2063538382654013056,131072 --no-sandbox --user-data-dir="C:\EdgeAutomationData" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2144 --allow-no-sandbox-job /prefetch:2
      4⤵
      Modifies registry class
      PID:2312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,6689595439498484122,2063538382654013056,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\EdgeAutomationData" --mojo-platform-channel-handle=2176 --allow-no-sandbox-job /prefetch:3
      4⤵
      PID:3432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,6689595439498484122,2063538382654013056,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\EdgeAutomationData" --mojo-platform-channel-handle=2504 --allow-no-sandbox-job /prefetch:8
      4⤵
      PID:4220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --field-trial-handle=2096,6689595439498484122,2063538382654013056,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\EdgeAutomationData" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:2496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --field-trial-handle=2096,6689595439498484122,2063538382654013056,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\EdgeAutomationData" --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:3872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --field-trial-handle=2096,6689595439498484122,2063538382654013056,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\EdgeAutomationData" --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:4532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --field-trial-handle=2096,6689595439498484122,2063538382654013056,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\EdgeAutomationData" --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:4860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --field-trial-handle=2096,6689595439498484122,2063538382654013056,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\EdgeAutomationData" --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:2884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --field-trial-handle=2096,6689595439498484122,2063538382654013056,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\EdgeAutomationData" --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:3392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --field-trial-handle=2096,6689595439498484122,2063538382654013056,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\EdgeAutomationData" --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:2788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --field-trial-handle=2096,6689595439498484122,2063538382654013056,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\EdgeAutomationData" --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:1312
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\System32\rundll32.exe shell32.dll,#61
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1004

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3940855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\EdgeAutomationData\Crashpad\settings.dat

Filesize
152B

MD5
63d6123b14b3f1a57341e2286695e948

SHA1
767079930dc2aca68cd428ceb3e8516a3e15e2ec

SHA256
642a03d3ffc563a440cef6f36f07c4ed7d9a15268ee96944a8d590ff824d0484

SHA512
d4f4da81a856b4705865b28837734d35a61827d0c3a245cebc6652b5d77217cd0428600935741c0df8fdea6a26bdb0d277993574b5415e534973070f749ea28d

Download Submit
C:\EdgeAutomationData\Crashpad\settings.dat

Filesize
152B

MD5
acf89b1de95a84824446332cafcdcce5

SHA1
4a082b3a3de48e0241dfc5b35ab8f736d420c712

SHA256
31146e739cf88c4a9724ac7ea905af45d66b3798c58506af95ad772ed2bbddc8

SHA512
cd570ff6f4d40177c99e3ee8f1be7cb8c3ef7b893b0e6509d93a8c46c01694a520abd6a50c1102c3e6afd2ca158ea4d99545bb3bd266bd5b27ed4d42495581ab

Download Submit
C:\EdgeAutomationData\Crashpad\settings.dat

Filesize
152B

MD5
220381b92bdc1b1bf46721b18123fda2

SHA1
ae2e81e883886ddd421acc32fcc872428b7ef13f

SHA256
264cc7918b7a8ba8921b673e8272d81d28899901ddf913205c7262c310bb6c15

SHA512
36982a4c269dfe60800a613f364d10ea024f49da746394bba5aadf943757199665ae7652392d0ad1626f2ea7f97be7ca989eb8e38d85710205f0f64422642d1f

Download Submit
C:\EdgeAutomationData\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\EdgeAutomationData\Default\37980f03-5f8f-4d4c-a1d4-a7ccfdb459f5.tmp

Filesize
4KB

MD5
79961b0ec7a218981852458672a84fd5

SHA1
a39b0305b66fceb31eff5d222f9f595b20715471

SHA256
1d7d2ae576b36bbf3a8d5204046c5e60ba723d309e53e36aa4233f48cb983e4c

SHA512
57e1635acee75b1ab4e53f93c4fcf1d6af38db36305a8bc713df2c0995e6ee311e44aa4b73fc18a04481c71a5bfc201460eed94e8c3dd1ab6b3e2dcc951ebf36

Download Submit
C:\EdgeAutomationData\Default\Cache\data_1

Filesize
264KB

MD5
42f45fe60d4fc7b74fca481a35dfb6dc

SHA1
cc94dbd2fc84990d3ca849deedbe78d37331c735

SHA256
0ff81bfe8be0518d8f0d6ac60e1782d0c04745701c9ec549404fddf3e0604f8f

SHA512
c8855091db9b73ca924a8d3c8c84edba9bc5cc4766816872561d7f2b0d09874636247db6f82815f3d8dfd7a2202e8d664f7b8668925af166cb3e4b01163a2bf9

Download Submit
C:\EdgeAutomationData\Default\Cache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\EdgeAutomationData\Default\Cache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\EdgeAutomationData\Default\Preferences

Filesize
5KB

MD5
01f79f1d93f359a4c281a67ce925db87

SHA1
cd44fa4bcbfee67b08115195de27a72791c1bd29

SHA256
7dbb17cf828e7115675d3619f5be6f610eaaa6b68e667b0b9a470c95088105ca

SHA512
e55d292dca863ab8b88ca15fc32ca0dce5c52cc8e3427a556ac457dcdab9485466f85aeb4bc02aee7140f24cb447382ea833d01e6a79fd244cec0aae5252370d

Download Submit
C:\EdgeAutomationData\Default\Secure Preferences

Filesize
24KB

MD5
4432826bf7d9af326df891b0b2301919

SHA1
8947dd88504fa3971b4619857acc347154da628c

SHA256
5a2b17649e59d9c05df10b3d1657c65771744bab632ef6015058a0e4c1aff842

SHA512
a271f75343d456749e1891f8683b14e70b4fb541567fcbba65bbe0f098b6d8081b925bb0264d0bc10b9234ce807e160008789a670cc69dd2f6a05f1598cc58ea

Download Submit
C:\EdgeAutomationData\Default\Secure Preferences~RFe5b8d19.TMP

Filesize
24KB

MD5
fafd67a9d7e053e3079e4dc1a6ee847a

SHA1
047768b947395a2f4bc6b4733da66758aeb0cf6c

SHA256
4365057dc3b736b76d5f45d2794a5e21c8636336b21925212afc508c50e7fce3

SHA512
89a8f1622e0a4e6917565d01ac191ade21c7ea10034b876563718cdee0a7d3f46d8981c418f776c661ec6f3b93cd1fdd9514ae1e6bfb21b8f39e5033b16e4259

Download Submit
C:\EdgeAutomationData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\EdgeAutomationData\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\EdgeAutomationData\GrShaderCache\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\EdgeAutomationData\f234cc1e-5dbf-43a1-908d-4757f8bb56bf.tmp

Filesize
8KB

MD5
84bd6def8540d82cac68f0a3a2a41a15

SHA1
acb22443499e23629be9b27b1015e96d502681fa

SHA256
0dcc67f2bf3f700d5078c7c4ff273409122cff66396c0a93da1c510cdba59010

SHA512
37ead9a72004a10fbd00c9558f9afb048361a7172d5dcaa129e9ddd41ce9b78d399177f7c07d838eccd5b7384bff9ce153296b72db1b997dc2dfa452c8e42098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iiwdjajidw.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2333.tmp

Filesize
1KB

MD5
5dc751a6e8937b4e86bd91a3feaf28c3

SHA1
3e2025704c70e374709a5b51ed2f2be64922be05

SHA256
162ce6cb10950ce5c19aa8ecb7cab096845413d71d6977585cb031a4aa08fd4e

SHA512
bcc40754cc10567667d950184007eba51113db285903bd30689dbbcedabca691608fdbbc7f04beeba8f9516b44801609cc3421207c8724cde3f4339ef686f395

Download Submit
C:\Users\Admin\Desktop\iiwdjajidw.exe

Filesize
45KB

MD5
22e79f7c1b441da83c52d7decff2ec52

SHA1
830260a1150f16c5de319bf8304541ba1d6f3ecd

SHA256
333c8b251d1592b79a4510b808c0994859068908263ea414bec0b93971a4f150

SHA512
bbf94841e7d3a301e5d83b98cfc4562a048db71b08083c71bd05490c84bbdf6558a43c8de07df60a81c010ac27fd82ca8c677497d6412e0c880e961685fd05a4

Download Submit
memory/1500-44-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/1500-29-0x0000000000FD0000-0x0000000000FE2000-memory.dmp

Filesize
72KB

Download
memory/1500-31-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/4148-47-0x0000000006260000-0x00000000062C6000-memory.dmp

Filesize
408KB

Download
memory/4148-49-0x00000000017E0000-0x00000000017F2000-memory.dmp

Filesize
72KB

Download
memory/4844-11-0x0000000074CDE000-0x0000000074CDF000-memory.dmp

Filesize
4KB

Download
memory/4844-10-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/4844-18-0x0000000009050000-0x000000000906A000-memory.dmp

Filesize
104KB

Download
memory/4844-17-0x0000000009C00000-0x0000000009D24000-memory.dmp

Filesize
1.1MB

Download
memory/4844-16-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/4844-14-0x0000000009DF0000-0x000000000A144000-memory.dmp

Filesize
3.3MB

Download
memory/4844-13-0x0000000008780000-0x0000000008832000-memory.dmp

Filesize
712KB

Download
memory/4844-12-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/4844-0-0x0000000074CDE000-0x0000000074CDF000-memory.dmp

Filesize
4KB

Download
memory/4844-48-0x000000000CD90000-0x000000000CDA2000-memory.dmp

Filesize
72KB

Download
memory/4844-9-0x0000000009BD0000-0x0000000009BF2000-memory.dmp

Filesize
136KB

Download
memory/4844-8-0x0000000007CD0000-0x0000000007CE2000-memory.dmp

Filesize
72KB

Download
memory/4844-7-0x0000000007CA0000-0x0000000007CBA000-memory.dmp

Filesize
104KB

Download
memory/4844-6-0x0000000005840000-0x0000000005854000-memory.dmp

Filesize
80KB

Download
memory/4844-5-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/4844-4-0x00000000051E0000-0x00000000051EA000-memory.dmp

Filesize
40KB

Download
memory/4844-3-0x00000000052B0000-0x0000000005342000-memory.dmp

Filesize
584KB

Download
memory/4844-2-0x0000000005860000-0x0000000005E04000-memory.dmp

Filesize
5.6MB

Download
memory/4844-1-0x00000000005D0000-0x00000000007D2000-memory.dmp

Filesize
2.0MB

Download
memory/4844-349-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads