File name:

Xeno.exe

Full analysis: https://app.any.run/tasks/6d138f64-3052-4bbf-90da-f466ea4c51af
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: December 23, 2024, 20:28:46
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
dcrat
rat
remote
darkcrystal
miner
pastebin
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

6F2C998C60A662361C52B5AAC308DBCF

SHA1:

2EA662E7306F5DADC507F7E70BB0017AEA904A0E

SHA256:

01D051294C52CEEE92BC40026C9F8C8D076F3B128BD7DA809BD8ED257FEF0EEA

SSDEEP:

98304:MmgwMyDhnqxL/xYxpPMonmt2qzPOPsxbwp1n/DtMEWQXUykaSLw2BRyjUipTMEjz:/hrzdjRV8wo2s7U7deG/cUpPTRcd4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • SetTimerResolutionService.exe (PID: 6712)
      • SetTimerResolutionService.exe (PID: 6844)
      • updater.exe (PID: 5512)

    • Adds path to the Windows Defender exclusion list

      • explorer.exe (PID: 4488)
      • comwebFontMonitor.exe (PID: 2632)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 6944)

    • DcRAT is detected

      • comwebFontMonitor.exe (PID: 1544)
      • comwebFontMonitor.exe (PID: 2632)
      • comwebFontMonitor.exe (PID: 8252)

    • Application was injected by another process

      • winlogon.exe (PID: 684)
      • lsass.exe (PID: 760)
      • svchost.exe (PID: 320)
      • svchost.exe (PID: 1076)
      • svchost.exe (PID: 1276)
      • svchost.exe (PID: 1068)
      • dwm.exe (PID: 912)
      • svchost.exe (PID: 1268)
      • svchost.exe (PID: 1972)
      • svchost.exe (PID: 1784)
      • svchost.exe (PID: 1660)
      • svchost.exe (PID: 1908)
      • svchost.exe (PID: 1564)
      • svchost.exe (PID: 1452)
      • svchost.exe (PID: 1768)
      • svchost.exe (PID: 1776)
      • svchost.exe (PID: 1424)
      • svchost.exe (PID: 1260)
      • svchost.exe (PID: 1500)
      • svchost.exe (PID: 1364)
      • svchost.exe (PID: 1316)
      • svchost.exe (PID: 2272)
      • svchost.exe (PID: 1980)
      • svchost.exe (PID: 2192)
      • svchost.exe (PID: 1880)
      • svchost.exe (PID: 2064)
      • svchost.exe (PID: 2340)
      • svchost.exe (PID: 2364)
      • svchost.exe (PID: 2852)
      • svchost.exe (PID: 2500)
      • svchost.exe (PID: 2372)
      • svchost.exe (PID: 2816)
      • svchost.exe (PID: 2748)
      • spoolsv.exe (PID: 2652)
      • OfficeClickToRun.exe (PID: 2884)
      • svchost.exe (PID: 2944)
      • svchost.exe (PID: 2256)
      • svchost.exe (PID: 2892)
      • svchost.exe (PID: 3016)
      • svchost.exe (PID: 2920)
      • svchost.exe (PID: 2360)
      • svchost.exe (PID: 2288)
      • svchost.exe (PID: 2660)
      • svchost.exe (PID: 3592)
      • svchost.exe (PID: 3164)
      • svchost.exe (PID: 3704)
      • svchost.exe (PID: 3600)
      • svchost.exe (PID: 3824)
      • dasHost.exe (PID: 3896)
      • svchost.exe (PID: 3668)
      • svchost.exe (PID: 2952)
      • svchost.exe (PID: 4000)
      • svchost.exe (PID: 3160)
      • svchost.exe (PID: 4168)
      • svchost.exe (PID: 4176)
      • svchost.exe (PID: 4696)
      • sihost.exe (PID: 1712)
      • svchost.exe (PID: 4436)
      • explorer.exe (PID: 4488)
      • ctfmon.exe (PID: 4268)
      • RuntimeBroker.exe (PID: 4960)
      • dllhost.exe (PID: 5164)
      • RuntimeBroker.exe (PID: 4676)
      • dllhost.exe (PID: 5904)
      • RuntimeBroker.exe (PID: 5820)
      • ApplicationFrameHost.exe (PID: 6108)
      • svchost.exe (PID: 3976)
      • MoUsoCoreWorker.exe (PID: 4712)
      • svchost.exe (PID: 4456)
      • svchost.exe (PID: 812)
      • svchost.exe (PID: 4200)
      • UserOOBEBroker.exe (PID: 3004)
      • svchost.exe (PID: 1340)
      • uhssvc.exe (PID: 2908)
      • svchost.exe (PID: 3056)
      • svchost.exe (PID: 1764)
      • dllhost.exe (PID: 1816)
      • svchost.exe (PID: 4872)
      • svchost.exe (PID: 1480)
      • svchost.exe (PID: 1176)
      • svchost.exe (PID: 1572)
      • svchost.exe (PID: 4512)
      • svchost.exe (PID: 376)

    • Runs injected code in another process

      • dialer.exe (PID: 6432)
      • dialer.exe (PID: 6632)

    • Changes the autorun value in the registry

      • comwebFontMonitor.exe (PID: 2632)

    • Changes the login/logoff helper path in the registry

      • comwebFontMonitor.exe (PID: 2632)

    • DARKCRYSTAL has been detected (SURICATA)

      • comwebFontMonitor.exe (PID: 8252)

    • Connects to the CnC server

      • comwebFontMonitor.exe (PID: 8252)

    • MINER has been detected (SURICATA)

      • svchost.exe (PID: 2192)

    • Actions looks like stealing of personal data

      • comwebFontMonitor.exe (PID: 8252)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Xeno.exe (PID: 6616)
      • MpDefenderCoreService.exe (PID: 6688)
      • comwebFontMonitor.exe (PID: 1544)
      • comwebFontMonitor.exe (PID: 2632)
      • csc.exe (PID: 4764)
      • SetTimerResolutionService.exe (PID: 6844)
      • csc.exe (PID: 1668)
      • csc.exe (PID: 6548)
      • csc.exe (PID: 6732)
      • comwebFontMonitor.exe (PID: 8252)
      • updater.exe (PID: 5512)

    • Reads security settings of Internet Explorer

      • Xeno.exe (PID: 6616)
      • MpDefenderCoreService.exe (PID: 6688)
      • comwebFontMonitor.exe (PID: 1544)
      • comwebFontMonitor.exe (PID: 2632)

    • Manipulates environment variables

      • powershell.exe (PID: 7008)
      • powershell.exe (PID: 5812)

    • Script adds exclusion path to Windows Defender

      • explorer.exe (PID: 4488)
      • comwebFontMonitor.exe (PID: 2632)

    • Starts POWERSHELL.EXE for commands execution

      • explorer.exe (PID: 4488)
      • comwebFontMonitor.exe (PID: 2632)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6944)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 6944)
      • comwebFontMonitor.exe (PID: 2632)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 6944)
      • comwebFontMonitor.exe (PID: 1544)
      • explorer.exe (PID: 4488)
      • comwebFontMonitor.exe (PID: 2632)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7156)

    • Reads the date of Windows installation

      • comwebFontMonitor.exe (PID: 1544)

    • Executed via WMI

      • schtasks.exe (PID: 836)
      • schtasks.exe (PID: 4120)
      • schtasks.exe (PID: 4816)
      • schtasks.exe (PID: 2756)
      • schtasks.exe (PID: 3992)
      • schtasks.exe (PID: 3508)
      • schtasks.exe (PID: 6544)
      • schtasks.exe (PID: 2844)
      • schtasks.exe (PID: 5548)
      • schtasks.exe (PID: 6576)
      • schtasks.exe (PID: 6568)
      • schtasks.exe (PID: 6076)
      • schtasks.exe (PID: 2380)
      • schtasks.exe (PID: 6468)
      • schtasks.exe (PID: 6920)
      • schtasks.exe (PID: 6492)
      • schtasks.exe (PID: 3140)
      • schtasks.exe (PID: 5496)

    • Process drops legitimate windows executable

      • comwebFontMonitor.exe (PID: 2632)

    • Stops a currently running service

      • sc.exe (PID: 5728)
      • sc.exe (PID: 2600)
      • sc.exe (PID: 6520)
      • sc.exe (PID: 536)
      • sc.exe (PID: 3992)
      • sc.exe (PID: 6400)
      • sc.exe (PID: 8724)
      • sc.exe (PID: 8276)
      • sc.exe (PID: 3744)
      • sc.exe (PID: 6984)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 1476)
      • cmd.exe (PID: 8132)

    • Uses powercfg.exe to modify the power settings

      • cmd.exe (PID: 6464)
      • cmd.exe (PID: 3628)

    • Starts application with an unusual extension

      • cmd.exe (PID: 8060)

    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 8060)

    • The process executes via Task Scheduler

      • updater.exe (PID: 5512)

    • Drops a system driver (possible attempt to evade defenses)

      • updater.exe (PID: 5512)

    • Crypto Currency Mining Activity Detected

      • svchost.exe (PID: 2192)

    • Loads DLL from Mozilla Firefox

      • comwebFontMonitor.exe (PID: 8252)

  • INFO

    • Create files in a temporary directory

      • Xeno.exe (PID: 6616)
      • cvtres.exe (PID: 5748)
      • comwebFontMonitor.exe (PID: 2632)
      • SetTimerResolutionService.exe (PID: 6844)
      • cvtres.exe (PID: 1200)
      • cvtres.exe (PID: 6836)
      • cvtres.exe (PID: 6720)
      • comwebFontMonitor.exe (PID: 8252)

    • Reads the computer name

      • Xeno.exe (PID: 6616)
      • MpDefenderCoreService.exe (PID: 6688)
      • comwebFontMonitor.exe (PID: 1544)
      • comwebFontMonitor.exe (PID: 2632)

    • Checks supported languages

      • Xeno.exe (PID: 6616)
      • MpDefenderCoreService.exe (PID: 6688)
      • SetTimerResolutionService.exe (PID: 6844)
      • comwebFontMonitor.exe (PID: 1544)
      • comwebFontMonitor.exe (PID: 2632)
      • csc.exe (PID: 4764)
      • cvtres.exe (PID: 5748)
      • csc.exe (PID: 1668)
      • csc.exe (PID: 6548)
      • cvtres.exe (PID: 6836)
      • csc.exe (PID: 6732)
      • cvtres.exe (PID: 1200)
      • cvtres.exe (PID: 6720)
      • chcp.com (PID: 8280)
      • updater.exe (PID: 5512)
      • comwebFontMonitor.exe (PID: 8252)

    • Process checks computer location settings

      • Xeno.exe (PID: 6616)
      • MpDefenderCoreService.exe (PID: 6688)
      • comwebFontMonitor.exe (PID: 1544)

    • Reads the software policy settings

      • lsass.exe (PID: 760)

    • The sample compiled with english language support

      • Xeno.exe (PID: 6616)
      • comwebFontMonitor.exe (PID: 2632)
      • SetTimerResolutionService.exe (PID: 6844)

    • Creates files in the program directory

      • MoUsoCoreWorker.exe (PID: 4712)
      • csc.exe (PID: 1668)
      • csc.exe (PID: 6548)
      • csc.exe (PID: 6732)
      • updater.exe (PID: 5512)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • MpDefenderCoreService.exe (PID: 6688)
      • comwebFontMonitor.exe (PID: 8252)

    • Manual execution by a user

      • powershell.exe (PID: 7008)
      • cmd.exe (PID: 1476)
      • cmd.exe (PID: 6464)
      • dialer.exe (PID: 6432)
      • powershell.exe (PID: 6476)
      • schtasks.exe (PID: 8740)
      • powershell.exe (PID: 5812)
      • cmd.exe (PID: 8132)
      • cmd.exe (PID: 3628)
      • dialer.exe (PID: 6632)
      • powershell.exe (PID: 6296)
      • dialer.exe (PID: 7976)
      • dialer.exe (PID: 6536)

    • The process uses the downloaded file

      • MpDefenderCoreService.exe (PID: 6688)
      • comwebFontMonitor.exe (PID: 1544)
      • comwebFontMonitor.exe (PID: 2632)
      • powershell.exe (PID: 5812)
      • powershell.exe (PID: 6296)

    • Reads the machine GUID from the registry

      • comwebFontMonitor.exe (PID: 1544)
      • csc.exe (PID: 4764)
      • comwebFontMonitor.exe (PID: 2632)
      • csc.exe (PID: 1668)
      • csc.exe (PID: 6548)
      • csc.exe (PID: 6732)
      • comwebFontMonitor.exe (PID: 8252)

    • Reads Environment values

      • comwebFontMonitor.exe (PID: 1544)
      • comwebFontMonitor.exe (PID: 2632)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7008)
      • powershell.exe (PID: 6476)
      • powershell.exe (PID: 6936)
      • powershell.exe (PID: 7064)
      • powershell.exe (PID: 6720)
      • powershell.exe (PID: 3732)
      • powershell.exe (PID: 6732)
      • powershell.exe (PID: 6204)
      • powershell.exe (PID: 7564)
      • powershell.exe (PID: 2928)
      • powershell.exe (PID: 904)
      • powershell.exe (PID: 7328)
      • powershell.exe (PID: 6448)
      • powershell.exe (PID: 6736)
      • powershell.exe (PID: 7644)
      • powershell.exe (PID: 7228)
      • powershell.exe (PID: 7392)
      • powershell.exe (PID: 7460)
      • powershell.exe (PID: 4536)
      • powershell.exe (PID: 3416)
      • powershell.exe (PID: 6440)
      • powershell.exe (PID: 5812)
      • powershell.exe (PID: 6296)
      • powershell.exe (PID: 6960)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7008)
      • powershell.exe (PID: 6936)
      • powershell.exe (PID: 7064)
      • powershell.exe (PID: 6732)
      • powershell.exe (PID: 6204)
      • powershell.exe (PID: 6736)
      • powershell.exe (PID: 6720)
      • powershell.exe (PID: 2928)
      • powershell.exe (PID: 7328)
      • powershell.exe (PID: 6448)
      • powershell.exe (PID: 904)
      • powershell.exe (PID: 7564)
      • powershell.exe (PID: 6440)
      • powershell.exe (PID: 7644)
      • powershell.exe (PID: 3732)
      • powershell.exe (PID: 7228)
      • powershell.exe (PID: 7460)
      • powershell.exe (PID: 7392)
      • powershell.exe (PID: 3416)
      • powershell.exe (PID: 4536)
      • powershell.exe (PID: 5812)
      • powershell.exe (PID: 6960)

    • Creates files or folders in the user directory

      • csc.exe (PID: 4764)

    • Changes the display of characters in the console

      • cmd.exe (PID: 8060)

    • Checks proxy server information

      • comwebFontMonitor.exe (PID: 8252)

    • Disables trace logs

      • comwebFontMonitor.exe (PID: 8252)

    • The sample compiled with japanese language support

      • updater.exe (PID: 5512)

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 2884)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ 4.x (69.9)
.exe | Win64 Executable (generic) (14.3)
.scr | Windows screen saver (6.8)
.dll | Win32 Dynamic Link Library (generic) (3.4)
.exe | Win32 Executable (generic) (2.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:06:15 16:44:28+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 5.12
CodeSize: 3584
InitializedDataSize: 11108864
UninitializedDataSize: -
EntryPoint: 0x1ae1
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.9.0
ProductVersionNumber: 1.0.9.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Xeno - Executor UI https://github.com/Riz-ve/Xeno
CompanyName: XenoUI
FileDescription: XenoUI
FileVersion: 1.0.9
InternalName: XenoUI.dll
LegalCopyright: Rizve
OriginalFileName: XenoUI.dll
ProductName: Xeno
ProductVersion: 1.0.9+87ae4f96f8a0927052c1120167982fb069afd1b4
AssemblyVersion: 1.0.9.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
247
Monitored processes
211
Malicious processes
96
Suspicious processes
3

Behavior graph

Click at the process to see the details
start xeno.exe mpdefendercoreservice.exe settimerresolutionservice.exe no specs settimerresolutionservice.exe wscript.exe no specs powershell.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs #DCRAT comwebfontmonitor.exe cmd.exe conhost.exe no specs #DCRAT comwebfontmonitor.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs csc.exe conhost.exe no specs cmd.exe conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs cvtres.exe no specs sc.exe no specs sc.exe no specs csc.exe conhost.exe no specs cmd.exe conhost.exe no specs dialer.exe powershell.exe conhost.exe no specs powercfg.exe no specs powercfg.exe no specs cvtres.exe no specs powercfg.exe no specs csc.exe conhost.exe no specs powercfg.exe no specs cvtres.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs w32tm.exe no specs schtasks.exe conhost.exe no specs updater.exe powershell.exe conhost.exe no specs #DARKCRYSTAL comwebfontmonitor.exe cmd.exe conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs dialer.exe powershell.exe conhost.exe no specs dialer.exe dialer.exe svchost.exe svchost.exe winlogon.exe lsass.exe svchost.exe dwm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe sihost.exe svchost.exe svchost.exe svchost.exe svchost.exe dllhost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe #MINER svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe svchost.exe svchost.exe svchost.exe officeclicktorun.exe svchost.exe uhssvc.exe svchost.exe svchost.exe svchost.exe useroobebroker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dashost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe ctfmon.exe svchost.exe svchost.exe explorer.exe svchost.exe runtimebroker.exe svchost.exe mousocoreworker.exe svchost.exe runtimebroker.exe dllhost.exe runtimebroker.exe dllhost.exe applicationframehost.exe

Process information

PID
CMD
Path
Indicators
Parent process
320C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
376C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHostC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
536sc stop dosvcC:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1062
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
684winlogon.exeC:\Windows\System32\winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Logon Application
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
760C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
776\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
812C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
836schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\found.000\dir0000.chk\RuntimeBroker.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
876\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
904"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execomwebFontMonitor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
159 174
Read events
158 348
Write events
450
Delete events
376

Modification events

(PID) Process:(760) lsass.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits
Operation:writeName:SecureTimeHigh
Value:
A75D0DB407D9DA01
(PID) Process:(760) lsass.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits
Operation:writeName:SecureTimeEstimated
Value:
A7F54852FFD8DA01
(PID) Process:(760) lsass.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits
Operation:writeName:SecureTimeLow
Value:
A78D84F0F6D8DA01
(PID) Process:(760) lsass.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\RunTime
Operation:writeName:SecureTimeTickCount
Value:
AA69130000000000
(PID) Process:(760) lsass.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\RunTime
Operation:writeName:SecureTimeConfidence
Value:
0
(PID) Process:(1340) svchost.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
Operation:writeName:C:\Users\admin\Desktop\Xeno.exe
Value:
53414350010000000000000007000000280000000094A900000000000100000000000000000002067100000050BB64EDDDACD5010000000000000000
(PID) Process:(3976) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables
Operation:writeName:RebootRequired
Value:
0
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\WOSC
Operation:delete valueName:ETagBackup
Value:
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\WOSC
Operation:writeName:LastUpdated
Value:
0707428EFED8DA01
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\WOSC
Operation:writeName:LastRefreshAttempted
Value:
C180234C7955DB01
Executable files
40
Suspicious files
86
Text files
89
Unknown types
0

Dropped files

PID
Process
Filename
Type
4712MoUsoCoreWorker.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:741922B874DC8CFD7499D8C839B1D58E
SHA256:9B5DF12FBEE6F041E49297D7E3F6F682649F4928172EE2F5D88FE72D7C5C838C
4712MoUsoCoreWorker.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785der
MD5:F6F53CD09A41E968C363419B279D3112
SHA256:6D2BB01CC7A9BADE2113B219CAC1BDA86B2733196B7E1BD0C807CE1E396B1892
6616Xeno.exeC:\Users\admin\AppData\Local\Temp\MpDefenderCoreService.exeexecutable
MD5:0461FFE7BD459338E588A58C7603308F
SHA256:9E91E2EE79C04872C4F235EAA085BFBA87DBFB68D1D047D086B08F277CA0F274
4712MoUsoCoreWorker.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEbinary
MD5:FA84E4BCC92AA5DB735AB50711040CDE
SHA256:6D7205E794FDE4219A62D9692ECDDF612663A5CF20399E79BE87B851FCA4CA33
6616Xeno.exeC:\Users\admin\AppData\Local\Temp\SetTimerResolutionService.exeexecutable
MD5:CD4CD97F113C706BC90910F961749B47
SHA256:FD82A9B7E7810BD4FD23C853A12849F1DEABADC0788C5B42D6FD33422D0C57B6
6688MpDefenderCoreService.exeC:\Hypermonitor\0VfQUM6gUE8LTfF8GVCwwW2GcPFnDFc0UIGYZ.battext
MD5:F16EE742DB1D061EEE74BD0749C4298E
SHA256:04F2EB8AEA5A9B6111CF855F808B64155E3832B2DD4C7DEC2813DB1BD7E0BFCA
1276svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Workxml
MD5:5FADF13CCFBDCC5DD728380F7A615B28
SHA256:FF1F73395F6B5B22D5FDA367521FE0DCC31FF252849B7FA85FA346B953A40451
1276svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Workxml
MD5:4838EE953DAB2C7A1BF57E0C6620A79D
SHA256:22C798E00C4793749EAC39CFB6EA3DD75112FD4453A3706E839038A64504D45D
1768svchost.exeC:\Windows\Prefetch\UPFC.EXE-BDDF79D6.pfbinary
MD5:D468F6A6EB4AF06F7244D9B7A1D6A1F2
SHA256:15C4DD4217EEC864CEDE6216A1D6F73EBB1FD625ABB2997EAB59D3E0232A59D3
1276svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Workxml
MD5:C6086D02F8CE044F5FA07A98303DC7EB
SHA256:8901D9C9AEA465DA4EA7AA874610A90B8CF0A71EBA0E321CF9675FCEEE0B54A0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
89
TCP/UDP connections
30
DNS requests
11
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
8252
comwebFontMonitor.exe
POST
200
188.114.97.3:80
http://uffyaa.ru/Phpjavascript_Test.php
unknown
malicious
8252
comwebFontMonitor.exe
POST
200
188.114.97.3:80
http://uffyaa.ru/Phpjavascript_Test.php
unknown
malicious
8252
comwebFontMonitor.exe
POST
200
188.114.97.3:80
http://uffyaa.ru/Phpjavascript_Test.php
unknown
malicious
8252
comwebFontMonitor.exe
POST
200
188.114.97.3:80
http://uffyaa.ru/Phpjavascript_Test.php
unknown
malicious
8252
comwebFontMonitor.exe
POST
200
188.114.97.3:80
http://uffyaa.ru/Phpjavascript_Test.php
unknown
malicious
8252
comwebFontMonitor.exe
POST
200
188.114.97.3:80
http://uffyaa.ru/Phpjavascript_Test.php
unknown
malicious
8252
comwebFontMonitor.exe
POST
200
188.114.97.3:80
http://uffyaa.ru/Phpjavascript_Test.php
unknown
malicious
8252
comwebFontMonitor.exe
POST
200
188.114.97.3:80
http://uffyaa.ru/Phpjavascript_Test.php
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
2.23.209.189:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
8252
comwebFontMonitor.exe
188.114.97.3:80
uffyaa.ru
CLOUDFLARENET
NL
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.209.189
  • 2.23.209.135
  • 2.23.209.133
  • 2.23.209.179
  • 2.23.209.130
  • 2.23.209.182
  • 2.23.209.185
  • 2.23.209.187
  • 2.23.209.140
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
uffyaa.ru
  • 188.114.97.3
  • 188.114.96.3
malicious
pool.hashvault.pro
  • 192.248.189.11
  • 80.240.16.67
whitelisted
pastebin.com
  • 104.20.4.235
  • 172.67.19.24
  • 104.20.3.235
shared
self.events.data.microsoft.com
  • 20.42.73.26
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)
A Network Trojan was detected
REMOTE [ANY.RUN] DarkCrystal Rat Check-in (POST)
Crypto Currency Mining Activity Detected
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
Crypto Currency Mining Activity Detected
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Xeno.exe