Malware analysis Xeno-v1.0.8-x64.zip Malicious activity

Add for printing

File name:	Xeno-v1.0.8-x64.zip
Full analysis:	https://app.any.run/tasks/74e134ec-b32a-4afa-847d-0b224a98c409
Verdict:	Malicious activity
Analysis date:	October 16, 2024, 15:24:02
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec arch-scr arch-html
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=store
MD5:	C232BEA765C6EDB442A8709A2A012279
SHA1:	904CBB05A56948661A34A75F4D5484DCE7CB6C03
SHA256:	E2157140596246478DA3EEF7AC3C3279E69ED1C6820CCFE2CD3F3B90C4B9A288
SSDEEP:	98304:CcPopwM7tsoEXKMMixHQKhsLk+4xIDvJTu9043df5zznZGERwstZ3+gecrRTZp8g:5YwG057/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Process drops legitimate windows executable
  - windowsdesktop-runtime-8.0.10-win-x64.exe (PID: 4508)
  - WinRAR.exe (PID: 6136)
  - windowsdesktop-runtime-8.0.10-win-x64.exe (PID: 7980)
  - windowsdesktop-runtime-8.0.10-win-x64.exe (PID: 7276)
  - msiexec.exe (PID: 7148)
- Starts a Microsoft application from unusual location
  - windowsdesktop-runtime-8.0.10-win-x64.exe (PID: 7980)
  - windowsdesktop-runtime-8.0.10-win-x64.exe (PID: 7276)
- Executable content was dropped or overwritten
  - windowsdesktop-runtime-8.0.10-win-x64.exe (PID: 4508)
  - windowsdesktop-runtime-8.0.10-win-x64.exe (PID: 7980)
  - windowsdesktop-runtime-8.0.10-win-x64.exe (PID: 7276)
- Starts itself from another location
  - windowsdesktop-runtime-8.0.10-win-x64.exe (PID: 7980)
- The process drops C-runtime libraries
  - msiexec.exe (PID: 7148)
- Executes application which crashes
  - Xeno.exe (PID: 5372)
INFO
- Application launched itself
  - msedge.exe (PID: 6868)
  - msedge.exe (PID: 6836)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6136)
  - msedge.exe (PID: 6868)
  - msiexec.exe (PID: 7148)
- Manual execution by a user
  - Xeno.exe (PID: 6364)
  - Xeno.exe (PID: 5372)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (36.3)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2024:10:12 14:41:00
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	Xeno-v1.0.8-x64/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

200

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

528

C:\Windows\syswow64\MsiExec.exe -Embedding 6234EA4E0407A2C8984FB64AC081470B

C:\Windows\SysWOW64\msiexec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

1248

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3516 --field-trial-handle=2464,i,17719795983525881255,3975454672404969002,262144 --variations-seed-version /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1252

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3528 --field-trial-handle=2336,i,4667782588164125771,2577759837564321241,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1280

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3548 --field-trial-handle=2464,i,17719795983525881255,3975454672404969002,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1576

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

2172

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2224

C:\Windows\syswow64\MsiExec.exe -Embedding 7F64BF0867628F072A8E6E3712FC95C3

C:\Windows\SysWOW64\msiexec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

2796

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5240 --field-trial-handle=2464,i,17719795983525881255,3975454672404969002,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

3028

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2700 --field-trial-handle=2336,i,4667782588164125771,2577759837564321241,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

3648

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=1664 --field-trial-handle=2464,i,17719795983525881255,3975454672404969002,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

Add for printing

Total events

28 250

Read events

27 279

Write events

914

Delete events

Modification events


(PID) Process:	(6136) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6136) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Downloads\Xeno-v1.0.8-x64.zip
(PID) Process:	(6136) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6136) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6136) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6136) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6136) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	15
Value:
(PID) Process:	(6136) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	14
Value:
(PID) Process:	(6136) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	13
Value:
(PID) Process:	(6136) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	12
Value:

Add for printing

Executable files

500

Suspicious files

317

Text files

144

Unknown types

Dropped files

PID	Process	Filename		Type
6136	WinRAR.exe	C:\Users\admin\Desktop\Xeno-v1.0.8-x64\bin\editor.lua		text
		MD5:9CA04DC1EED106950481D417E354D0AD	SHA256:80859440D691ACB54F83F3B843645A2C16D9280F973AB06DA520A4C2AE8E0FB7
6136	WinRAR.exe	C:\Users\admin\Desktop\Xeno-v1.0.8-x64\bin\Monaco\vs\editor\editor.main.nls.zh-cn.js		text
		MD5:05E49314CF801F5D3992B55243690EA7	SHA256:E9ADC8FFCA9853EF6E0BD4E955AF9F395A570BC7772FC2DAC0C0FF241AAC864B
6136	WinRAR.exe	C:\Users\admin\Desktop\Xeno-v1.0.8-x64\bin\Monaco\vs\editor\editor.main.nls.es.js		text
		MD5:36F546B28CA17ECE9F8EB9BCF8344E13	SHA256:327437EE3793E9AE0686C78196B459592C282ED2E86F95CE28D32693B76D7654
6136	WinRAR.exe	C:\Users\admin\Desktop\Xeno-v1.0.8-x64\bin\Monaco\vs\editor\editor.main.nls.ja.js		text
		MD5:3BF851CC70F515CBBE1D39DA93E4F041	SHA256:1F3556EA7233843B9E08B3C97B6727C533D702563E195C2090A438070DC85F0F
6136	WinRAR.exe	C:\Users\admin\Desktop\Xeno-v1.0.8-x64\bin\Monaco\index.html		html
		MD5:A9793319D1395E6F3564BBA48465D42A	SHA256:02AC2CEAFC55B77FC9AE9DD8C15285A4BB0247F5851AE601C9CBFEF5228A8325
6136	WinRAR.exe	C:\Users\admin\Desktop\Xeno-v1.0.8-x64\bin\Monaco\vs\base\worker\workerMain.js		s
		MD5:D0AC5294C58E523CDDF25BC6D785FA48	SHA256:E90D1A8F116FA74431117A3AD78DDE16DDE060A4BF7528DFE3D5A3AD6156504B
6136	WinRAR.exe	C:\Users\admin\Desktop\Xeno-v1.0.8-x64\bin\Monaco\vs\editor\editor.main.nls.ru.js		text
		MD5:6E7D5B984917B00F131C47473CE2B866	SHA256:1BB069D95A395BF258D1F262814591AA762C4B30529ADDE32CCBCAA7C7CA508D
6136	WinRAR.exe	C:\Users\admin\Desktop\Xeno-v1.0.8-x64\bin\Monaco\vs\editor\editor.main.js		text
		MD5:A7E3083CFE200263EDFB4BF011B893A3	SHA256:9E2FB6171592F7A3C33D3B5BAEF58B516B36473FF7717BBD643574991923435E
6136	WinRAR.exe	C:\Users\admin\Desktop\Xeno-v1.0.8-x64\bin\Monaco\vs\editor\editor.main.css		text
		MD5:23C7DB6E12F6454EF6E7FB98D17924D8	SHA256:615824C59ED1E07F5924286E9F02F3120B9064D59E115D3F668A914E07839451
6136	WinRAR.exe	C:\Users\admin\Desktop\Xeno-v1.0.8-x64\bin\Monaco\vs\basic-languages\lua\lua.js		s
		MD5:EEBDA1FDD970433750C115EAE2F03865	SHA256:AC729EFB3164F48D6B08F74D4B15060C126A30D40FB4CD4FC9CC94F2E19BD7C7

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

105

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5488	MoUsoCoreWorker.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
8092	SIHClient.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5232	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
8092	SIHClient.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
3864	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6868	msedge.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6868	msedge.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl	unknown	—	—	whitelisted
6436	svchost.exe	HEAD	200	2.22.242.227:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/181d62d0-8e71-4ab0-b6f0-62f746749689?P1=1729298748&P2=404&P3=2&P4=WcRG892WIAkskpaGj3s%2bBfq%2fFIiDIcIX5SFiLuhgqgMxAqLN7YPHn46J0ZfgJUEVVPVA6AvXc6LgzBvBD7NaFA%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6944	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4836	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5488	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5488	MoUsoCoreWorker.exe	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4360	SearchApp.exe	2.16.110.179:443	www.bing.com	Akamai International B.V.	DE	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4020	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156 23.48.23.173	whitelisted
www.microsoft.com	23.52.120.96 88.221.169.152	whitelisted
www.bing.com	2.16.110.179 2.16.110.203 2.16.110.136 2.16.110.168 2.16.110.200 2.16.110.152 2.16.110.138 2.16.110.121 2.16.110.170 2.16.110.131 2.16.110.171 2.16.110.193 2.16.110.123	whitelisted
google.com	142.250.185.238	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.23 20.190.159.68 20.190.159.73 40.126.31.69 20.190.159.64 40.126.31.67 20.190.159.4 40.126.31.73	whitelisted
th.bing.com	2.16.110.179 2.16.110.121 2.16.110.136 2.16.110.170 2.16.110.131 2.16.110.171 2.16.110.193 2.16.110.203 2.16.110.123	whitelisted
go.microsoft.com	23.52.121.103 23.32.186.57	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted

Threats

PID	Process	Class	Message
2172	svchost.exe	Potentially Bad Traffic	ET DNS Query for .to TLD
2172	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a *.us .to Domain

Add for printing

Process	Message
Xeno.exe	You must install .NET to run this application. App: C:\Users\admin\Desktop\Xeno-v1.0.8-x64\Xeno.exe Architecture: x64 App host version: 8.0.8 .NET location: Not found Learn more: https://aka.ms/dotnet/app-launch-failed Download the .NET runtime: https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win-x64&os=win10&apphost_version=8.0.8
Xeno.exe	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

Xeno-v1.0.8-x64.zip

C232BEA765C6EDB442A8709A2A012279

904CBB05A56948661A34A75F4D5484DCE7CB6C03

E2157140596246478DA3EEF7AC3C3279E69ED1C6820CCFE2CD3F3B90C4B9A288

98304:CcPopwM7tsoEXKMMixHQKhsLk+4xIDvJTu9043df5zznZGERwstZ3+gecrRTZp8g:5YwG057/

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Executable content was dropped or overwritten

Starts itself from another location

The process drops C-runtime libraries

Executes application which crashes

INFO

Application launched itself

Executable content was dropped or overwritten

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings