File name:

Xeno.exe

Full analysis: https://app.any.run/tasks/8b26515b-992c-4538-b8a5-2b5fa6ea6864
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 19, 2025, 16:57:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
ms-smartcard
upx
salatstealer
golang
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

DE8ED88EE137CB8F196D9C49945D79A5

SHA1:

CF8B93E05CAA2B70A98624901AFCBA57CB28A817

SHA256:

CD1B37135693A745819A329C291F76274426900C080B66B8FC269E9860EB2192

SSDEEP:

98304:mRt/kGh7wk/ApoYKmtUJNBumJIwdxdQTLB1N9PIlvM7/Cpz/H6PzJ7GH3YHUp2U8:2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • svchost.exe (PID: 7928)

    • SALATSTEALER has been detected (YARA)

      • svchost.exe (PID: 7928)

    • Steals credentials from Web Browsers

      • svchost.exe (PID: 7928)

  • SUSPICIOUS

    • Application launched itself

      • Xeno.exe (PID: 7428)

    • Reads security settings of Internet Explorer

      • Xeno.exe (PID: 7428)

    • The process creates files with name similar to system file names

      • Xeno.exe (PID: 7572)
      • svchost.exe (PID: 7928)

    • Executable content was dropped or overwritten

      • Xeno.exe (PID: 7572)
      • svchost.exe (PID: 7928)

    • Starts itself from another location

      • svchost.exe (PID: 7928)
      • Xeno.exe (PID: 7572)

    • Multiple wallet extension IDs have been found

      • svchost.exe (PID: 7928)

    • There is functionality for taking screenshot (YARA)

      • svchost.exe (PID: 7928)

    • Detected use of alternative data streams (AltDS)

      • svchost.exe (PID: 7928)

  • INFO

    • Checks supported languages

      • Xeno.exe (PID: 7428)
      • Xeno.exe (PID: 7572)
      • svchost.exe (PID: 8064)
      • svchost.exe (PID: 2088)
      • svchost.exe (PID: 7928)

    • Reads the computer name

      • Xeno.exe (PID: 7428)
      • Xeno.exe (PID: 7572)
      • svchost.exe (PID: 8064)
      • svchost.exe (PID: 7928)
      • svchost.exe (PID: 2088)

    • Reads the machine GUID from the registry

      • Xeno.exe (PID: 7428)
      • Xeno.exe (PID: 7572)
      • svchost.exe (PID: 8064)
      • svchost.exe (PID: 2088)
      • svchost.exe (PID: 7928)

    • Process checks computer location settings

      • Xeno.exe (PID: 7428)

    • Creates files or folders in the user directory

      • Xeno.exe (PID: 7572)

    • Creates files in the program directory

      • svchost.exe (PID: 7928)

    • Create files in a temporary directory

      • svchost.exe (PID: 7928)

    • Checks proxy server information

      • slui.exe (PID: 1324)

    • Reads the software policy settings

      • slui.exe (PID: 1324)

    • UPX packer has been detected

      • svchost.exe (PID: 7928)

    • Application based on Golang

      • svchost.exe (PID: 7928)

    • Detects GO elliptic curve encryption (YARA)

      • svchost.exe (PID: 7928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 3
CodeSize: 3272704
InitializedDataSize: 4096
UninitializedDataSize: 8761344
EntryPoint: 0xb7a420
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start xeno.exe no specs xeno.exe #SALATSTEALER svchost.exe svchost.exe no specs svchost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1324C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2088"C:\Program Files (x86)\Microsoft\Edge\Application\svchost.exe" -C:\Program Files (x86)\Microsoft\Edge\Application\svchost.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files (x86)\microsoft\edge\application\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
7428"C:\Users\admin\Desktop\Xeno.exe" C:\Users\admin\Desktop\Xeno.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
Modules
Images
c:\users\admin\desktop\xeno.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
7572"C:\Users\admin\Desktop\Xeno.exe" C:\Users\admin\Desktop\Xeno.exe
Xeno.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\xeno.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
7928C:\Users\admin\AppData\Local\Publishers\svchost.exeC:\Users\admin\AppData\Local\Publishers\svchost.exe
Xeno.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\publishers\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
8064"C:\Program Files\Google\Chrome\Application\svchost.exe" -C:\Program Files\Google\Chrome\Application\svchost.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\google\chrome\application\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
Total events
7 262
Read events
7 262
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7928svchost.exeC:\Program Files (x86)\Microsoft\Edge\Application\svchost.exeexecutable
MD5:DE8ED88EE137CB8F196D9C49945D79A5
SHA256:CD1B37135693A745819A329C291F76274426900C080B66B8FC269E9860EB2192
7572Xeno.exeC:\Users\admin\AppData\Local\DBG\TextInputHost.exeexecutable
MD5:DE8ED88EE137CB8F196D9C49945D79A5
SHA256:CD1B37135693A745819A329C291F76274426900C080B66B8FC269E9860EB2192
7928svchost.exeC:\Users\admin\AppData\Local\Publishers\svchost.exe:KoWMRiexecutable
MD5:DE8ED88EE137CB8F196D9C49945D79A5
SHA256:CD1B37135693A745819A329C291F76274426900C080B66B8FC269E9860EB2192
7928svchost.exeC:\Program Files\Google\Chrome\Application\svchost.exeexecutable
MD5:DE8ED88EE137CB8F196D9C49945D79A5
SHA256:CD1B37135693A745819A329C291F76274426900C080B66B8FC269E9860EB2192
7572Xeno.exeC:\Users\admin\AppData\Local\Publishers\svchost.exeexecutable
MD5:DE8ED88EE137CB8F196D9C49945D79A5
SHA256:CD1B37135693A745819A329C291F76274426900C080B66B8FC269E9860EB2192
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
28
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2432
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7572
Xeno.exe
1.1.1.1:443
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7572
Xeno.exe
104.21.84.111:443
unknown
7928
svchost.exe
1.1.1.1:443
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Xeno.exe