File name:

Xeno Executor Setup 1.0.0.exe

Full analysis: https://app.any.run/tasks/9ab4ef37-3dd1-420b-888d-4dbd46d2617d
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: November 13, 2024, 08:57:32
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-doc
websocket
stealer
discordgrabber
generic
growtopia
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

3E16CBD302CB621239608AC3CAF444CF

SHA1:

9FB50388DF593182080DDDC0E710ACA82E9A9D8D

SHA256:

B95BFDD546145DC16DF5684B0F808AA993E3F0FA6AC0B9364BD95D589E34A1B7

SSDEEP:

786432:K/+9MUdHjvdTwVuMO8z5LZau9vk6133ewrddq:KG9MUFCVuOnZZp1neodq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • Xeno Executor.exe (PID: 4816)

    • DISCORDGRABBER has been detected (YARA)

      • Xeno Executor.exe (PID: 4816)

    • GROWTOPIA has been detected (YARA)

      • Xeno Executor.exe (PID: 4816)

    • Starts Visual C# compiler

      • cmd.exe (PID: 7284)

    • Connects to the CnC server

      • hexon_b4e22dc2f5a7dbf8.exe (PID: 864)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Xeno Executor Setup 1.0.0.exe (PID: 5564)

    • Get information on the list of running processes

      • Xeno Executor Setup 1.0.0.exe (PID: 5564)
      • cmd.exe (PID: 4808)
      • Xeno Executor.exe (PID: 4816)
      • cmd.exe (PID: 3676)
      • cmd.exe (PID: 3740)
      • cmd.exe (PID: 6344)
      • cmd.exe (PID: 4556)
      • cmd.exe (PID: 6348)
      • cmd.exe (PID: 6432)
      • cmd.exe (PID: 7296)

    • Starts CMD.EXE for commands execution

      • Xeno Executor Setup 1.0.0.exe (PID: 5564)
      • Xeno Executor.exe (PID: 4816)
      • hexon_b4e22dc2f5a7dbf8.exe (PID: 864)

    • Executable content was dropped or overwritten

      • Xeno Executor Setup 1.0.0.exe (PID: 5564)
      • Xeno Executor.exe (PID: 4816)
      • hexon_b4e22dc2f5a7dbf8.exe (PID: 864)
      • csc.exe (PID: 7308)

    • Drops 7-zip archiver for unpacking

      • Xeno Executor Setup 1.0.0.exe (PID: 5564)

    • Process drops legitimate windows executable

      • Xeno Executor Setup 1.0.0.exe (PID: 5564)

    • The process creates files with name similar to system file names

      • Xeno Executor Setup 1.0.0.exe (PID: 5564)

    • Reads security settings of Internet Explorer

      • Xeno Executor Setup 1.0.0.exe (PID: 5564)

    • Creates a software uninstall entry

      • Xeno Executor Setup 1.0.0.exe (PID: 5564)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 4312)

    • Application launched itself

      • Xeno Executor.exe (PID: 4816)
      • msedge.exe (PID: 7360)
      • chrome.exe (PID: 2360)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 7092)

    • The process executes VB scripts

      • cmd.exe (PID: 8180)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6276)
      • cmd.exe (PID: 6416)
      • cmd.exe (PID: 7440)

    • Executing commands from a ".bat" file

      • hexon_b4e22dc2f5a7dbf8.exe (PID: 864)

    • Runs shell command (SCRIPT)

      • cscript.exe (PID: 7936)

    • Contacting a server suspected of hosting an CnC

      • hexon_b4e22dc2f5a7dbf8.exe (PID: 864)

    • Connects to unusual port

      • hexon_b4e22dc2f5a7dbf8.exe (PID: 864)

    • The executable file from the user directory is run by the CMD process

      • screenCapture_1.3.2.exe (PID: 7804)

  • INFO

    • Create files in a temporary directory

      • Xeno Executor Setup 1.0.0.exe (PID: 5564)
      • Xeno Executor.exe (PID: 4816)

    • Checks supported languages

      • Xeno Executor Setup 1.0.0.exe (PID: 5564)
      • Xeno Executor.exe (PID: 4816)
      • Xeno Executor.exe (PID: 6584)
      • Xeno Executor.exe (PID: 2864)

    • Reads the computer name

      • Xeno Executor Setup 1.0.0.exe (PID: 5564)
      • Xeno Executor.exe (PID: 4816)
      • Xeno Executor.exe (PID: 2864)
      • Xeno Executor.exe (PID: 6584)

    • Creates files or folders in the user directory

      • Xeno Executor Setup 1.0.0.exe (PID: 5564)
      • Xeno Executor.exe (PID: 4816)

    • Manual execution by a user

      • Xeno Executor.exe (PID: 4816)
      • notepad.exe (PID: 7312)
      • notepad.exe (PID: 8084)
      • notepad.exe (PID: 3524)
      • OpenWith.exe (PID: 6508)
      • OpenWith.exe (PID: 7424)
      • notepad.exe (PID: 2416)
      • OpenWith.exe (PID: 2132)
      • OpenWith.exe (PID: 8124)
      • OpenWith.exe (PID: 7524)
      • OpenWith.exe (PID: 7472)
      • OpenWith.exe (PID: 6200)
      • OpenWith.exe (PID: 1180)
      • OpenWith.exe (PID: 2776)

    • Reads product name

      • Xeno Executor.exe (PID: 4816)

    • Reads Environment values

      • Xeno Executor.exe (PID: 4816)

    • Checks proxy server information

      • Xeno Executor.exe (PID: 4816)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 4312)

    • Process checks computer location settings

      • Xeno Executor.exe (PID: 4816)

    • Reads the machine GUID from the registry

      • Xeno Executor.exe (PID: 4816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:12:15 22:26:14+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 473088
UninitializedDataSize: 16384
EntryPoint: 0x338f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Unreal Game Inc.
FileDescription: GraviyParadox
FileVersion: 1.0.0
LegalCopyright: Copyright © 2024 Unreal Game Inc.
ProductName: Xeno Executor
ProductVersion: 1.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
220
Monitored processes
90
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start xeno executor setup 1.0.0.exe cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs #DISCORDGRABBER xeno executor.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs xeno executor.exe no specs xeno executor.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs where.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs chrome.exe chrome.exe no specs notepad.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs where.exe no specs notepad.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs notepad.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs hexon_b4e22dc2f5a7dbf8.exe conhost.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs csc.exe cvtres.exe no specs screencapture_1.3.2.exe no specs notepad.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
528"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2304 --field-trial-handle=1956,i,4850502976277315183,1241193923187852363,262144 --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
864\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864"C:\Users\admin\AppData\Local\Temp\hexon_b4e22dc2f5a7dbf8.exe" HXN-MONTHLY-BA59F1FEAAAA discordC:\Users\admin\AppData\Local\Temp\hexon_b4e22dc2f5a7dbf8.exe
cscript.exe
User:
admin
Company:
Node.js
Integrity Level:
MEDIUM
Description:
Node.js JavaScript Runtime
Version:
18.5.0
Modules
Images
c:\users\admin\appdata\local\temp\hexon_b4e22dc2f5a7dbf8.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\psapi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ucrtbase.dll
944"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=1840 --field-trial-handle=1956,i,4850502976277315183,1241193923187852363,262144 --variations-seed-version /prefetch:3C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
948tasklistC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
948\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1048taskkill /IM javaw.exe /FC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1180"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\install-shC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1204\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1500tasklistC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
15 386
Read events
15 360
Write events
26
Delete events
0

Modification events

(PID) Process:(5564) Xeno Executor Setup 1.0.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\c9a54b87-cac9-56e1-8f4e-d6dc8640d022
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\Programs\unrealgame
(PID) Process:(5564) Xeno Executor Setup 1.0.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\c9a54b87-cac9-56e1-8f4e-d6dc8640d022
Operation:writeName:KeepShortcuts
Value:
true
(PID) Process:(5564) Xeno Executor Setup 1.0.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\c9a54b87-cac9-56e1-8f4e-d6dc8640d022
Operation:writeName:ShortcutName
Value:
Xeno Executor
(PID) Process:(5564) Xeno Executor Setup 1.0.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\c9a54b87-cac9-56e1-8f4e-d6dc8640d022
Operation:writeName:DisplayName
Value:
Xeno Executor 1.0.0
(PID) Process:(5564) Xeno Executor Setup 1.0.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\c9a54b87-cac9-56e1-8f4e-d6dc8640d022
Operation:writeName:UninstallString
Value:
"C:\Users\admin\AppData\Local\Programs\unrealgame\Uninstall Xeno Executor.exe" /currentuser
(PID) Process:(5564) Xeno Executor Setup 1.0.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\c9a54b87-cac9-56e1-8f4e-d6dc8640d022
Operation:writeName:QuietUninstallString
Value:
"C:\Users\admin\AppData\Local\Programs\unrealgame\Uninstall Xeno Executor.exe" /currentuser /S
(PID) Process:(5564) Xeno Executor Setup 1.0.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\c9a54b87-cac9-56e1-8f4e-d6dc8640d022
Operation:writeName:DisplayVersion
Value:
1.0.0
(PID) Process:(5564) Xeno Executor Setup 1.0.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\c9a54b87-cac9-56e1-8f4e-d6dc8640d022
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Local\Programs\unrealgame\Xeno Executor.exe,0
(PID) Process:(5564) Xeno Executor Setup 1.0.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\c9a54b87-cac9-56e1-8f4e-d6dc8640d022
Operation:writeName:Publisher
Value:
Unreal Game Inc.
(PID) Process:(5564) Xeno Executor Setup 1.0.0.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\c9a54b87-cac9-56e1-8f4e-d6dc8640d022
Operation:writeName:NoModify
Value:
1
Executable files
30
Suspicious files
240
Text files
108
Unknown types
19

Dropped files

PID
Process
Filename
Type
5564Xeno Executor Setup 1.0.0.exeC:\Users\admin\AppData\Local\Temp\nsmF15F.tmp\app-64.7z
MD5:
SHA256:
5564Xeno Executor Setup 1.0.0.exeC:\Users\admin\AppData\Local\Temp\nsmF15F.tmp\7z-out\icudtl.dat
MD5:
SHA256:
5564Xeno Executor Setup 1.0.0.exeC:\Users\admin\AppData\Local\Temp\nsmF15F.tmp\7z-out\LICENSES.chromium.html
MD5:
SHA256:
5564Xeno Executor Setup 1.0.0.exeC:\Users\admin\AppData\Local\Temp\nsmF15F.tmp\7z-out\chrome_100_percent.pakpgc
MD5:ACD0FA0A90B43CD1C87A55A991B4FAC3
SHA256:CCBCA246B9A93FA8D4F01A01345E7537511C590E4A8EFD5777B1596D10923B4B
5564Xeno Executor Setup 1.0.0.exeC:\Users\admin\AppData\Local\Temp\nsmF15F.tmp\StdUtils.dllexecutable
MD5:C6A6E03F77C313B267498515488C5740
SHA256:B72E9013A6204E9F01076DC38DABBF30870D44DFC66962ADBF73619D4331601E
5564Xeno Executor Setup 1.0.0.exeC:\Users\admin\AppData\Local\Temp\nsmF15F.tmp\7z-out\LICENSE.electron.txttext
MD5:4D42118D35941E0F664DDDBD83F633C5
SHA256:5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
5564Xeno Executor Setup 1.0.0.exeC:\Users\admin\AppData\Local\Temp\nsmF15F.tmp\nsis7z.dllexecutable
MD5:80E44CE4895304C6A3A831310FBF8CD0
SHA256:B393F05E8FF919EF071181050E1873C9A776E1A0AE8329AEFFF7007D0CADF592
5564Xeno Executor Setup 1.0.0.exeC:\Users\admin\AppData\Local\Temp\nsmF15F.tmp\7z-out\locales\bn.pakpgc
MD5:8FEB4092426A0C2C167C0674114B014D
SHA256:FB0656A687555801EDFB9442B9F3E7F2B009BE1126F901CF4DA82D67AC4AD954
5564Xeno Executor Setup 1.0.0.exeC:\Users\admin\AppData\Local\Temp\nsmF15F.tmp\7z-out\locales\el.pakpgc
MD5:6922AAA87431699787C1489E89AF17B9
SHA256:800545F9134914649DA91B90E7DF65D8208014C3E12F2BE551DFD6722BF84719
5564Xeno Executor Setup 1.0.0.exeC:\Users\admin\AppData\Local\Temp\nsmF15F.tmp\7z-out\locales\ca.pakpgc
MD5:01ACD6F7A4EA85D8E63099CE1262FBAD
SHA256:B48D1BAD676F2E718CBE548302127E0B3567913A2835522D6DD90279A6D2A56A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
78
DNS requests
63
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4004
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6944
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6944
svchost.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5616
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6420
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6420
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
864
hexon_b4e22dc2f5a7dbf8.exe
GET
200
20.151.152.98:1337
http://20.151.152.98:1337/socket.io/?EIO=4&transport=polling&t=ngce0u3c&sid=aB1vtKoAt9vjrv2CAAcA
unknown
864
hexon_b4e22dc2f5a7dbf8.exe
GET
200
20.151.152.98:1337
http://20.151.152.98:1337/socket.io/?EIO=4&transport=polling&t=ngc7i55p
unknown
864
hexon_b4e22dc2f5a7dbf8.exe
GET
101
20.151.152.98:1337
http://20.151.152.98:1337/socket.io/?EIO=4&transport=websocket&sid=aB1vtKoAt9vjrv2CAAcA
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.209.178:443
www.bing.com
Akamai International B.V.
GB
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
4004
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4004
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2.23.209.130:443
th.bing.com
Akamai International B.V.
GB
whitelisted
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted
6944
svchost.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.209.178
  • 2.23.209.167
  • 2.23.209.154
  • 2.23.209.160
  • 2.23.209.166
  • 2.23.209.179
  • 2.23.209.156
  • 2.23.209.158
  • 2.23.209.176
  • 2.23.209.186
  • 2.23.209.183
  • 2.23.209.181
  • 2.23.209.182
  • 2.23.209.187
  • 2.23.209.177
  • 2.23.209.185
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
google.com
  • 216.58.212.174
whitelisted
login.live.com
  • 40.126.32.134
  • 20.190.160.20
  • 40.126.32.68
  • 40.126.32.140
  • 40.126.32.138
  • 20.190.160.14
  • 40.126.32.136
  • 20.190.160.17
whitelisted
th.bing.com
  • 2.23.209.130
  • 2.23.209.185
  • 2.23.209.193
  • 2.23.209.183
  • 2.23.209.192
  • 2.23.209.186
  • 2.23.209.182
  • 2.23.209.133
  • 2.23.209.188
  • 2.23.209.178
  • 2.23.209.177
  • 2.23.209.166
  • 2.23.209.167
  • 2.23.209.181
  • 2.23.209.179
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Node XMLHTTP User-Agent
Unknown Traffic
ET USER_AGENTS Node XMLHTTP User-Agent
Unknown Traffic
ET USER_AGENTS Node XMLHTTP User-Agent
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
Not Suspicious Traffic
INFO [ANY.RUN] Socket.IO requests event-based bidirectional communication via HTTP
Not Suspicious Traffic
INFO [ANY.RUN] Socket.IO requests event-based bidirectional communication via HTTP
Unknown Traffic
ET USER_AGENTS Node XMLHTTP User-Agent
Not Suspicious Traffic
INFO [ANY.RUN] Socket.IO requests event-based bidirectional communication via HTTP
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Xeno Executor Setup 1.0.0.exe