Malware Analysis Report

2025-04-13 23:01

Sample ID 250319-jlh61axqv8
Target 0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3.exe
SHA256 0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3
Tags
xenorat discovery rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3

Threat Level: Known bad

The file 0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3.exe was found to be: Known bad.

Malicious Activity Summary

xenorat discovery rat trojan

Xenorat family

Detect XenoRat Payload

XenorRat

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-19 07:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-19 07:45

Reported

2025-03-19 07:50

Platform

win7-20241023-en

Max time kernel

300s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3.exe"

Signatures

Detect XenoRat Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XenorRat

trojan rat xenorat

Xenorat family

xenorat

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2628 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe
PID 2896 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe
PID 2896 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe
PID 2896 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe
PID 2804 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 2804 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 2804 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 2804 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 2112 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 2112 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 2112 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 2112 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 2112 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 2112 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 2112 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 2112 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 2112 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 2112 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 2112 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 2112 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 2112 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 2112 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 2112 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 2112 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 2112 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 2112 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 1760 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 1760 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 1760 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 1760 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2348 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2348 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2348 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2348 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2348 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2348 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2348 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2348 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2348 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2348 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2348 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2348 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2348 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2348 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2348 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2348 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2348 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2348 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 1492 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1492 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1492 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1492 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3.exe

"C:\Users\Admin\AppData\Local\Temp\0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\budshpdig.bat" "

C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe

afgsfxf.sfx.exe -pthngaqwscpolkmBuiofxvflfadfdyehngfszafugyRhvqxsHbgnmeYiorhn -dC:\Users\Admin\AppData\Local\Temp

C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe

"C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe"

C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe

C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe

C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe

C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe

C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe

C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe

C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe

C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "setting" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC5D.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 salutoepiesircam.sytes.net udp

Files

C:\Users\Admin\AppData\Local\Temp\budshpdig.bat

MD5 3c7b48100b1343fb5e491b6e25b3f973
SHA1 c1f0101ce56b77b1e62d5cd8eedb058039a6a6f1
SHA256 82af508a479aa7eb3710995954c09308b5610f141f65c57c296b19b2fa218a4b
SHA512 989df1b3bfea4de6bda4bed0a027dc280d905dbffe6e7573f65b3acfc708f58fce83da939f8952e5ffa4b7c0f539e4a4b16bc409670513a643af95d6147b6108

\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe

MD5 b0f7c04b2eeecc36eaf4b8028f039fca
SHA1 f4215f7f99a94bc0f11caed46fba0f5b6d894bf3
SHA256 49189308da7b2d7038fc3cae77c4bffa62420b07ca4b833c85299f82d1e0dbf0
SHA512 ee91d628a5dd338bad371018f5593d83e246c173b6c6aa8dcca6f5be37b06013417f01a8583baf7379f782c83e836fb385bdb20b5bad79484b8b4c0a407cce27

\Users\Admin\AppData\Local\Temp\afgsfxf.exe

MD5 e1dc7c5bc0e25c682383ed45a4f1b62d
SHA1 efb65a80c919f0c3b7d20f7e6936c4ed1bc39526
SHA256 8698d7bb5416fc8975a61be1f58793bd93ce9a611b0934ba9c1c7bfbd48d5ad6
SHA512 a194d7142c92ab1de1fc2c35d350a968085e116fa15dfda722c28c597eb33e0548de18717c48d308e6953cfbfc9c10996b2bcbc21ce60e5cb2c43fe860772dfc

memory/2112-37-0x0000000001310000-0x0000000001354000-memory.dmp

memory/2112-38-0x00000000001B0000-0x00000000001B6000-memory.dmp

memory/2112-39-0x00000000003D0000-0x000000000040E000-memory.dmp

memory/2112-40-0x0000000000220000-0x0000000000226000-memory.dmp

memory/1492-51-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1492-45-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1492-42-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2348-59-0x00000000010F0000-0x0000000001134000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBC5D.tmp

MD5 4ca9b69da92c5e2bccf63c0e57f8888d
SHA1 3812235f99f0f0685ecf6566816c8d0182601163
SHA256 0320bb6bdd7e13012024f1239019036e8707883cc208e2a9d63827568e4ee18e
SHA512 c912aef98bb83d9c6784574b01defd757f49a70079762d94961ee503a46b31502361bb067e345fcad733afd5f06dd00c6f6e8c98e7d010e96a7779ae6fb9853d

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-19 07:45

Reported

2025-03-19 07:50

Platform

win10v2004-20250314-en

Max time kernel

292s

Max time network

295s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3.exe"

Signatures

Detect XenoRat Payload

Description Indicator Process Target
N/A N/A N/A N/A

XenorRat

trojan rat xenorat

Xenorat family

xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1164 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3.exe C:\Windows\SysWOW64\cmd.exe
PID 1164 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3.exe C:\Windows\SysWOW64\cmd.exe
PID 1164 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 5412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe
PID 2804 wrote to memory of 5412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe
PID 2804 wrote to memory of 5412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe
PID 5412 wrote to memory of 5188 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 5412 wrote to memory of 5188 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 5412 wrote to memory of 5188 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 5188 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 5188 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 5188 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 5188 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 5188 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 5188 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 5188 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 5188 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 5188 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 5188 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 5188 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 5188 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 5188 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 5188 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 5188 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 5188 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
PID 4932 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 4932 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 4932 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2900 wrote to memory of 6096 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2900 wrote to memory of 6096 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2900 wrote to memory of 6096 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2900 wrote to memory of 6096 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2900 wrote to memory of 6096 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2900 wrote to memory of 6096 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2900 wrote to memory of 6096 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2900 wrote to memory of 6096 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2900 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2900 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2900 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2900 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2900 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2900 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2900 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 2900 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
PID 4964 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4964 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4964 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3.exe

"C:\Users\Admin\AppData\Local\Temp\0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\budshpdig.bat" "

C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe

afgsfxf.sfx.exe -pthngaqwscpolkmBuiofxvflfadfdyehngfszafugyRhvqxsHbgnmeYiorhn -dC:\Users\Admin\AppData\Local\Temp

C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe

"C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe"

C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe

C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe

C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe

C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe

C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe

C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe

C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe

C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6096 -ip 6096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 80

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "setting" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8EB3.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp
US 8.8.8.8:53 salutoepiesircam.sytes.net udp

Files

C:\Users\Admin\AppData\Local\Temp\budshpdig.bat

MD5 3c7b48100b1343fb5e491b6e25b3f973
SHA1 c1f0101ce56b77b1e62d5cd8eedb058039a6a6f1
SHA256 82af508a479aa7eb3710995954c09308b5610f141f65c57c296b19b2fa218a4b
SHA512 989df1b3bfea4de6bda4bed0a027dc280d905dbffe6e7573f65b3acfc708f58fce83da939f8952e5ffa4b7c0f539e4a4b16bc409670513a643af95d6147b6108

C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe

MD5 b0f7c04b2eeecc36eaf4b8028f039fca
SHA1 f4215f7f99a94bc0f11caed46fba0f5b6d894bf3
SHA256 49189308da7b2d7038fc3cae77c4bffa62420b07ca4b833c85299f82d1e0dbf0
SHA512 ee91d628a5dd338bad371018f5593d83e246c173b6c6aa8dcca6f5be37b06013417f01a8583baf7379f782c83e836fb385bdb20b5bad79484b8b4c0a407cce27

C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe

MD5 e1dc7c5bc0e25c682383ed45a4f1b62d
SHA1 efb65a80c919f0c3b7d20f7e6936c4ed1bc39526
SHA256 8698d7bb5416fc8975a61be1f58793bd93ce9a611b0934ba9c1c7bfbd48d5ad6
SHA512 a194d7142c92ab1de1fc2c35d350a968085e116fa15dfda722c28c597eb33e0548de18717c48d308e6953cfbfc9c10996b2bcbc21ce60e5cb2c43fe860772dfc

memory/5188-22-0x0000000000E10000-0x0000000000E54000-memory.dmp

memory/5188-23-0x0000000003170000-0x0000000003176000-memory.dmp

memory/5188-24-0x00000000057A0000-0x00000000057DE000-memory.dmp

memory/5188-25-0x0000000005B10000-0x0000000005BAC000-memory.dmp

memory/5188-26-0x0000000006160000-0x0000000006704000-memory.dmp

memory/5188-27-0x0000000005BB0000-0x0000000005C42000-memory.dmp

memory/5188-28-0x0000000005850000-0x0000000005856000-memory.dmp

memory/4932-29-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\afgsfxf.exe.log

MD5 d95c58e609838928f0f49837cab7dfd2
SHA1 55e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA256 0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512 405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

C:\Users\Admin\AppData\Local\Temp\tmp8EB3.tmp

MD5 4ca9b69da92c5e2bccf63c0e57f8888d
SHA1 3812235f99f0f0685ecf6566816c8d0182601163
SHA256 0320bb6bdd7e13012024f1239019036e8707883cc208e2a9d63827568e4ee18e
SHA512 c912aef98bb83d9c6784574b01defd757f49a70079762d94961ee503a46b31502361bb067e345fcad733afd5f06dd00c6f6e8c98e7d010e96a7779ae6fb9853d