File name:

Xeno.exe

Full analysis: https://app.any.run/tasks/6d138f64-3052-4bbf-90da-f466ea4c51af
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: December 23, 2024, 20:28:46
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
dcrat
rat
remote
darkcrystal
miner
pastebin
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

6F2C998C60A662361C52B5AAC308DBCF

SHA1:

2EA662E7306F5DADC507F7E70BB0017AEA904A0E

SHA256:

01D051294C52CEEE92BC40026C9F8C8D076F3B128BD7DA809BD8ED257FEF0EEA

SSDEEP:

98304:MmgwMyDhnqxL/xYxpPMonmt2qzPOPsxbwp1n/DtMEWQXUykaSLw2BRyjUipTMEjz:/hrzdjRV8wo2s7U7deG/cUpPTRcd4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • SetTimerResolutionService.exe (PID: 6712)
      • SetTimerResolutionService.exe (PID: 6844)
      • updater.exe (PID: 5512)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 6944)

    • Adds path to the Windows Defender exclusion list

      • explorer.exe (PID: 4488)
      • comwebFontMonitor.exe (PID: 2632)

    • DcRAT is detected

      • comwebFontMonitor.exe (PID: 1544)
      • comwebFontMonitor.exe (PID: 2632)
      • comwebFontMonitor.exe (PID: 8252)

    • Runs injected code in another process

      • dialer.exe (PID: 6432)
      • dialer.exe (PID: 6632)

    • Application was injected by another process

      • winlogon.exe (PID: 684)
      • svchost.exe (PID: 1076)
      • svchost.exe (PID: 1268)
      • svchost.exe (PID: 320)
      • dwm.exe (PID: 912)
      • lsass.exe (PID: 760)
      • svchost.exe (PID: 1276)
      • svchost.exe (PID: 1068)
      • svchost.exe (PID: 1776)
      • svchost.exe (PID: 1452)
      • svchost.exe (PID: 1260)
      • svchost.exe (PID: 1500)
      • svchost.exe (PID: 1424)
      • svchost.exe (PID: 1316)
      • svchost.exe (PID: 1784)
      • svchost.exe (PID: 1972)
      • svchost.exe (PID: 1768)
      • svchost.exe (PID: 2340)
      • svchost.exe (PID: 2272)
      • svchost.exe (PID: 1564)
      • svchost.exe (PID: 2192)
      • svchost.exe (PID: 1880)
      • svchost.exe (PID: 2064)
      • svchost.exe (PID: 1980)
      • svchost.exe (PID: 2364)
      • svchost.exe (PID: 1364)
      • svchost.exe (PID: 2500)
      • svchost.exe (PID: 2372)
      • svchost.exe (PID: 2816)
      • svchost.exe (PID: 2852)
      • svchost.exe (PID: 2748)
      • spoolsv.exe (PID: 2652)
      • svchost.exe (PID: 2892)
      • OfficeClickToRun.exe (PID: 2884)
      • svchost.exe (PID: 2944)
      • svchost.exe (PID: 2256)
      • svchost.exe (PID: 2920)
      • svchost.exe (PID: 2288)
      • svchost.exe (PID: 3016)
      • svchost.exe (PID: 2660)
      • svchost.exe (PID: 2360)
      • svchost.exe (PID: 3592)
      • svchost.exe (PID: 3704)
      • svchost.exe (PID: 3824)
      • svchost.exe (PID: 3600)
      • dasHost.exe (PID: 3896)
      • svchost.exe (PID: 4168)
      • svchost.exe (PID: 3160)
      • svchost.exe (PID: 2952)
      • svchost.exe (PID: 4000)
      • sihost.exe (PID: 1712)
      • svchost.exe (PID: 4176)
      • svchost.exe (PID: 4696)
      • ctfmon.exe (PID: 4268)
      • explorer.exe (PID: 4488)
      • svchost.exe (PID: 4436)
      • RuntimeBroker.exe (PID: 4676)
      • RuntimeBroker.exe (PID: 4960)
      • dllhost.exe (PID: 5164)
      • svchost.exe (PID: 3164)
      • svchost.exe (PID: 3668)
      • dllhost.exe (PID: 5904)
      • RuntimeBroker.exe (PID: 5820)
      • svchost.exe (PID: 4456)
      • svchost.exe (PID: 3976)
      • MoUsoCoreWorker.exe (PID: 4712)
      • UserOOBEBroker.exe (PID: 3004)
      • svchost.exe (PID: 1340)
      • svchost.exe (PID: 812)
      • uhssvc.exe (PID: 2908)
      • svchost.exe (PID: 1764)
      • svchost.exe (PID: 3056)
      • svchost.exe (PID: 4872)
      • svchost.exe (PID: 1480)
      • dllhost.exe (PID: 1816)
      • ApplicationFrameHost.exe (PID: 6108)
      • svchost.exe (PID: 4200)
      • svchost.exe (PID: 1572)
      • svchost.exe (PID: 1176)
      • svchost.exe (PID: 376)
      • svchost.exe (PID: 4512)
      • svchost.exe (PID: 1660)
      • svchost.exe (PID: 1908)

    • Changes the autorun value in the registry

      • comwebFontMonitor.exe (PID: 2632)

    • Changes the login/logoff helper path in the registry

      • comwebFontMonitor.exe (PID: 2632)

    • DARKCRYSTAL has been detected (SURICATA)

      • comwebFontMonitor.exe (PID: 8252)

    • MINER has been detected (SURICATA)

      • svchost.exe (PID: 2192)

    • Actions looks like stealing of personal data

      • comwebFontMonitor.exe (PID: 8252)

    • Connects to the CnC server

      • comwebFontMonitor.exe (PID: 8252)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Xeno.exe (PID: 6616)
      • MpDefenderCoreService.exe (PID: 6688)
      • comwebFontMonitor.exe (PID: 1544)
      • comwebFontMonitor.exe (PID: 2632)

    • Executable content was dropped or overwritten

      • Xeno.exe (PID: 6616)
      • MpDefenderCoreService.exe (PID: 6688)
      • comwebFontMonitor.exe (PID: 1544)
      • comwebFontMonitor.exe (PID: 2632)
      • csc.exe (PID: 4764)
      • SetTimerResolutionService.exe (PID: 6844)
      • csc.exe (PID: 1668)
      • csc.exe (PID: 6548)
      • csc.exe (PID: 6732)
      • comwebFontMonitor.exe (PID: 8252)
      • updater.exe (PID: 5512)

    • Manipulates environment variables

      • powershell.exe (PID: 7008)
      • powershell.exe (PID: 5812)

    • Script adds exclusion path to Windows Defender

      • explorer.exe (PID: 4488)
      • comwebFontMonitor.exe (PID: 2632)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6944)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 6944)
      • comwebFontMonitor.exe (PID: 2632)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 6944)
      • comwebFontMonitor.exe (PID: 1544)
      • explorer.exe (PID: 4488)
      • comwebFontMonitor.exe (PID: 2632)

    • Starts POWERSHELL.EXE for commands execution

      • explorer.exe (PID: 4488)
      • comwebFontMonitor.exe (PID: 2632)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7156)

    • Reads the date of Windows installation

      • comwebFontMonitor.exe (PID: 1544)

    • Executed via WMI

      • schtasks.exe (PID: 836)
      • schtasks.exe (PID: 4120)
      • schtasks.exe (PID: 4816)
      • schtasks.exe (PID: 3508)
      • schtasks.exe (PID: 3992)
      • schtasks.exe (PID: 2756)
      • schtasks.exe (PID: 6544)
      • schtasks.exe (PID: 5496)
      • schtasks.exe (PID: 2844)
      • schtasks.exe (PID: 5548)
      • schtasks.exe (PID: 6576)
      • schtasks.exe (PID: 6076)
      • schtasks.exe (PID: 3140)
      • schtasks.exe (PID: 6468)
      • schtasks.exe (PID: 6920)
      • schtasks.exe (PID: 2380)
      • schtasks.exe (PID: 6568)
      • schtasks.exe (PID: 6492)

    • Process drops legitimate windows executable

      • comwebFontMonitor.exe (PID: 2632)

    • Stops a currently running service

      • sc.exe (PID: 5728)
      • sc.exe (PID: 3992)
      • sc.exe (PID: 2600)
      • sc.exe (PID: 6520)
      • sc.exe (PID: 536)
      • sc.exe (PID: 6400)
      • sc.exe (PID: 3744)
      • sc.exe (PID: 8724)
      • sc.exe (PID: 8276)
      • sc.exe (PID: 6984)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 1476)
      • cmd.exe (PID: 8132)

    • Uses powercfg.exe to modify the power settings

      • cmd.exe (PID: 6464)
      • cmd.exe (PID: 3628)

    • Starts application with an unusual extension

      • cmd.exe (PID: 8060)

    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 8060)

    • The process executes via Task Scheduler

      • updater.exe (PID: 5512)

    • Drops a system driver (possible attempt to evade defenses)

      • updater.exe (PID: 5512)

    • Crypto Currency Mining Activity Detected

      • svchost.exe (PID: 2192)

    • Loads DLL from Mozilla Firefox

      • comwebFontMonitor.exe (PID: 8252)

  • INFO

    • Reads the software policy settings

      • lsass.exe (PID: 760)

    • Checks supported languages

      • Xeno.exe (PID: 6616)
      • MpDefenderCoreService.exe (PID: 6688)
      • SetTimerResolutionService.exe (PID: 6844)
      • comwebFontMonitor.exe (PID: 1544)
      • comwebFontMonitor.exe (PID: 2632)
      • csc.exe (PID: 4764)
      • cvtres.exe (PID: 5748)
      • csc.exe (PID: 1668)
      • cvtres.exe (PID: 1200)
      • csc.exe (PID: 6548)
      • cvtres.exe (PID: 6836)
      • csc.exe (PID: 6732)
      • cvtres.exe (PID: 6720)
      • chcp.com (PID: 8280)
      • updater.exe (PID: 5512)
      • comwebFontMonitor.exe (PID: 8252)

    • Create files in a temporary directory

      • Xeno.exe (PID: 6616)
      • comwebFontMonitor.exe (PID: 2632)
      • cvtres.exe (PID: 5748)
      • cvtres.exe (PID: 1200)
      • SetTimerResolutionService.exe (PID: 6844)
      • cvtres.exe (PID: 6836)
      • cvtres.exe (PID: 6720)
      • comwebFontMonitor.exe (PID: 8252)

    • Process checks computer location settings

      • Xeno.exe (PID: 6616)
      • MpDefenderCoreService.exe (PID: 6688)
      • comwebFontMonitor.exe (PID: 1544)

    • Reads the computer name

      • Xeno.exe (PID: 6616)
      • MpDefenderCoreService.exe (PID: 6688)
      • comwebFontMonitor.exe (PID: 1544)
      • comwebFontMonitor.exe (PID: 2632)

    • The sample compiled with english language support

      • Xeno.exe (PID: 6616)
      • comwebFontMonitor.exe (PID: 2632)
      • SetTimerResolutionService.exe (PID: 6844)

    • Creates files in the program directory

      • MoUsoCoreWorker.exe (PID: 4712)
      • csc.exe (PID: 1668)
      • csc.exe (PID: 6548)
      • csc.exe (PID: 6732)
      • updater.exe (PID: 5512)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • MpDefenderCoreService.exe (PID: 6688)
      • comwebFontMonitor.exe (PID: 8252)

    • Manual execution by a user

      • powershell.exe (PID: 7008)
      • cmd.exe (PID: 1476)
      • cmd.exe (PID: 6464)
      • dialer.exe (PID: 6432)
      • powershell.exe (PID: 6476)
      • schtasks.exe (PID: 8740)
      • powershell.exe (PID: 5812)
      • cmd.exe (PID: 8132)
      • dialer.exe (PID: 6632)
      • cmd.exe (PID: 3628)
      • dialer.exe (PID: 6536)
      • powershell.exe (PID: 6296)
      • dialer.exe (PID: 7976)

    • The process uses the downloaded file

      • MpDefenderCoreService.exe (PID: 6688)
      • comwebFontMonitor.exe (PID: 1544)
      • comwebFontMonitor.exe (PID: 2632)
      • powershell.exe (PID: 5812)
      • powershell.exe (PID: 6296)

    • Reads the machine GUID from the registry

      • comwebFontMonitor.exe (PID: 1544)
      • comwebFontMonitor.exe (PID: 2632)
      • csc.exe (PID: 4764)
      • csc.exe (PID: 1668)
      • csc.exe (PID: 6548)
      • csc.exe (PID: 6732)
      • comwebFontMonitor.exe (PID: 8252)

    • Reads Environment values

      • comwebFontMonitor.exe (PID: 1544)
      • comwebFontMonitor.exe (PID: 2632)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7008)
      • powershell.exe (PID: 6936)
      • powershell.exe (PID: 6732)
      • powershell.exe (PID: 6204)
      • powershell.exe (PID: 2928)
      • powershell.exe (PID: 7328)
      • powershell.exe (PID: 904)
      • powershell.exe (PID: 6448)
      • powershell.exe (PID: 7564)
      • powershell.exe (PID: 6476)
      • powershell.exe (PID: 7064)
      • powershell.exe (PID: 3732)
      • powershell.exe (PID: 6720)
      • powershell.exe (PID: 7644)
      • powershell.exe (PID: 7228)
      • powershell.exe (PID: 7460)
      • powershell.exe (PID: 4536)
      • powershell.exe (PID: 6440)
      • powershell.exe (PID: 6736)
      • powershell.exe (PID: 7392)
      • powershell.exe (PID: 3416)
      • powershell.exe (PID: 5812)
      • powershell.exe (PID: 6296)
      • powershell.exe (PID: 6960)

    • Creates files or folders in the user directory

      • csc.exe (PID: 4764)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7008)
      • powershell.exe (PID: 6936)
      • powershell.exe (PID: 7064)
      • powershell.exe (PID: 6204)
      • powershell.exe (PID: 6720)
      • powershell.exe (PID: 7328)
      • powershell.exe (PID: 2928)
      • powershell.exe (PID: 7564)
      • powershell.exe (PID: 904)
      • powershell.exe (PID: 6448)
      • powershell.exe (PID: 6732)
      • powershell.exe (PID: 3732)
      • powershell.exe (PID: 6440)
      • powershell.exe (PID: 7228)
      • powershell.exe (PID: 4536)
      • powershell.exe (PID: 3416)
      • powershell.exe (PID: 7392)
      • powershell.exe (PID: 6736)
      • powershell.exe (PID: 7644)
      • powershell.exe (PID: 7460)
      • powershell.exe (PID: 5812)
      • powershell.exe (PID: 6960)

    • Changes the display of characters in the console

      • cmd.exe (PID: 8060)

    • Checks proxy server information

      • comwebFontMonitor.exe (PID: 8252)

    • Disables trace logs

      • comwebFontMonitor.exe (PID: 8252)

    • The sample compiled with japanese language support

      • updater.exe (PID: 5512)

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 2884)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ 4.x (69.9)
.exe | Win64 Executable (generic) (14.3)
.scr | Windows screen saver (6.8)
.dll | Win32 Dynamic Link Library (generic) (3.4)
.exe | Win32 Executable (generic) (2.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:06:15 16:44:28+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 5.12
CodeSize: 3584
InitializedDataSize: 11108864
UninitializedDataSize: -
EntryPoint: 0x1ae1
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.9.0
ProductVersionNumber: 1.0.9.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Xeno - Executor UI https://github.com/Riz-ve/Xeno
CompanyName: XenoUI
FileDescription: XenoUI
FileVersion: 1.0.9
InternalName: XenoUI.dll
LegalCopyright: Rizve
OriginalFileName: XenoUI.dll
ProductName: Xeno
ProductVersion: 1.0.9+87ae4f96f8a0927052c1120167982fb069afd1b4
AssemblyVersion: 1.0.9.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
247
Monitored processes
211
Malicious processes
96
Suspicious processes
3

Behavior graph

Click at the process to see the details
start xeno.exe mpdefendercoreservice.exe settimerresolutionservice.exe no specs settimerresolutionservice.exe wscript.exe no specs powershell.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs #DCRAT comwebfontmonitor.exe cmd.exe conhost.exe no specs #DCRAT comwebfontmonitor.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs csc.exe conhost.exe no specs cmd.exe conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs cvtres.exe no specs sc.exe no specs sc.exe no specs csc.exe conhost.exe no specs cmd.exe conhost.exe no specs dialer.exe powershell.exe conhost.exe no specs powercfg.exe no specs powercfg.exe no specs cvtres.exe no specs powercfg.exe no specs csc.exe conhost.exe no specs powercfg.exe no specs cvtres.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs w32tm.exe no specs schtasks.exe conhost.exe no specs updater.exe powershell.exe conhost.exe no specs #DARKCRYSTAL comwebfontmonitor.exe cmd.exe conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs dialer.exe powershell.exe conhost.exe no specs dialer.exe dialer.exe svchost.exe svchost.exe winlogon.exe lsass.exe svchost.exe dwm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe sihost.exe svchost.exe svchost.exe svchost.exe svchost.exe dllhost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe #MINER svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe svchost.exe svchost.exe svchost.exe officeclicktorun.exe svchost.exe uhssvc.exe svchost.exe svchost.exe svchost.exe useroobebroker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dashost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe ctfmon.exe svchost.exe svchost.exe explorer.exe svchost.exe runtimebroker.exe svchost.exe mousocoreworker.exe svchost.exe runtimebroker.exe dllhost.exe runtimebroker.exe dllhost.exe applicationframehost.exe

Process information

PID
CMD
Path
Indicators
Parent process
320C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
376C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHostC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
536sc stop dosvcC:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1062
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
684winlogon.exeC:\Windows\System32\winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Logon Application
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
760C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
776\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
812C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
836schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\found.000\dir0000.chk\RuntimeBroker.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
876\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
904"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execomwebFontMonitor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
159 174
Read events
158 348
Write events
450
Delete events
376

Modification events

(PID) Process:(760) lsass.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits
Operation:writeName:SecureTimeHigh
Value:
A75D0DB407D9DA01
(PID) Process:(760) lsass.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits
Operation:writeName:SecureTimeEstimated
Value:
A7F54852FFD8DA01
(PID) Process:(760) lsass.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits
Operation:writeName:SecureTimeLow
Value:
A78D84F0F6D8DA01
(PID) Process:(760) lsass.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\RunTime
Operation:writeName:SecureTimeTickCount
Value:
AA69130000000000
(PID) Process:(760) lsass.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\RunTime
Operation:writeName:SecureTimeConfidence
Value:
0
(PID) Process:(1340) svchost.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
Operation:writeName:C:\Users\admin\Desktop\Xeno.exe
Value:
53414350010000000000000007000000280000000094A900000000000100000000000000000002067100000050BB64EDDDACD5010000000000000000
(PID) Process:(3976) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables
Operation:writeName:RebootRequired
Value:
0
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\WOSC
Operation:delete valueName:ETagBackup
Value:
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\WOSC
Operation:writeName:LastUpdated
Value:
0707428EFED8DA01
(PID) Process:(4712) MoUsoCoreWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Wosc\Client\Persistent\ClientState\WOSC
Operation:writeName:LastRefreshAttempted
Value:
C180234C7955DB01
Executable files
40
Suspicious files
86
Text files
89
Unknown types
0

Dropped files

PID
Process
Filename
Type
4712MoUsoCoreWorker.exeC:\ProgramData\USOPrivate\UpdateStore\store.db-journalbinary
MD5:474F22BAF113A66CBCA875827A09CD55
SHA256:FE51339AF52FEC4CFDFDD86D34C7C70E533256A0446C9CAC3602C0ECE2829755
6616Xeno.exeC:\Users\admin\AppData\Local\Temp\MpDefenderCoreService.exeexecutable
MD5:0461FFE7BD459338E588A58C7603308F
SHA256:9E91E2EE79C04872C4F235EAA085BFBA87DBFB68D1D047D086B08F277CA0F274
4712MoUsoCoreWorker.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785der
MD5:F6F53CD09A41E968C363419B279D3112
SHA256:6D2BB01CC7A9BADE2113B219CAC1BDA86B2733196B7E1BD0C807CE1E396B1892
4712MoUsoCoreWorker.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\21253908F3CB05D51B1C2DA8B681A785binary
MD5:473919CEF74E42B874461E3215B9423B
SHA256:DCADFE745B7C087B69DBCACFE570A8D1414F26D248C689F9FC591BCF180DE8CD
4712MoUsoCoreWorker.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEbinary
MD5:FA84E4BCC92AA5DB735AB50711040CDE
SHA256:6D7205E794FDE4219A62D9692ECDDF612663A5CF20399E79BE87B851FCA4CA33
1768svchost.exeC:\Windows\Prefetch\HOST.EXE-F5D74C61.pfbinary
MD5:9A2B3269CF4267536C89C9E58A6C94BB
SHA256:D21C12E8CBE204B302C59976037B33B4548E57272BDAEED891C325CC853D1385
4712MoUsoCoreWorker.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:741922B874DC8CFD7499D8C839B1D58E
SHA256:9B5DF12FBEE6F041E49297D7E3F6F682649F4928172EE2F5D88FE72D7C5C838C
4488explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
6616Xeno.exeC:\Users\admin\AppData\Local\Temp\SetTimerResolutionService.exeexecutable
MD5:CD4CD97F113C706BC90910F961749B47
SHA256:FD82A9B7E7810BD4FD23C853A12849F1DEABADC0788C5B42D6FD33422D0C57B6
6688MpDefenderCoreService.exeC:\Hypermonitor\comwebFontMonitor.exeexecutable
MD5:CED502B20D79D154D77B178529D36000
SHA256:210E88C76C94AB19296E76EDED3878E39683F0334E836DC31368D5789FB45AC0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
89
TCP/UDP connections
30
DNS requests
11
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
8252
comwebFontMonitor.exe
POST
200
188.114.97.3:80
http://uffyaa.ru/Phpjavascript_Test.php
unknown
malicious
8252
comwebFontMonitor.exe
POST
200
188.114.97.3:80
http://uffyaa.ru/Phpjavascript_Test.php
unknown
malicious
8252
comwebFontMonitor.exe
POST
200
188.114.97.3:80
http://uffyaa.ru/Phpjavascript_Test.php
unknown
malicious
8252
comwebFontMonitor.exe
POST
200
188.114.97.3:80
http://uffyaa.ru/Phpjavascript_Test.php
unknown
malicious
8252
comwebFontMonitor.exe
POST
200
188.114.97.3:80
http://uffyaa.ru/Phpjavascript_Test.php
unknown
malicious
8252
comwebFontMonitor.exe
POST
200
188.114.97.3:80
http://uffyaa.ru/Phpjavascript_Test.php
unknown
malicious
8252
comwebFontMonitor.exe
POST
200
188.114.97.3:80
http://uffyaa.ru/Phpjavascript_Test.php
unknown
malicious
8252
comwebFontMonitor.exe
POST
200
188.114.97.3:80
http://uffyaa.ru/Phpjavascript_Test.php
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
2.23.209.189:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
8252
comwebFontMonitor.exe
188.114.97.3:80
uffyaa.ru
CLOUDFLARENET
NL
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.209.189
  • 2.23.209.135
  • 2.23.209.133
  • 2.23.209.179
  • 2.23.209.130
  • 2.23.209.182
  • 2.23.209.185
  • 2.23.209.187
  • 2.23.209.140
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
uffyaa.ru
  • 188.114.97.3
  • 188.114.96.3
malicious
pool.hashvault.pro
  • 192.248.189.11
  • 80.240.16.67
whitelisted
pastebin.com
  • 104.20.4.235
  • 172.67.19.24
  • 104.20.3.235
shared
self.events.data.microsoft.com
  • 20.42.73.26
whitelisted

Threats

PID
Process
Class
Message
8252
comwebFontMonitor.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)
8252
comwebFontMonitor.exe
A Network Trojan was detected
REMOTE [ANY.RUN] DarkCrystal Rat Check-in (POST)
2192
svchost.exe
Crypto Currency Mining Activity Detected
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
2192
svchost.exe
Crypto Currency Mining Activity Detected
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Xeno.exe