Analysis Overview
SHA256
d4494d6239ab355a31308234f5c4508c6b31cb2e89e0636101de41bd60d544fb
Threat Level: Shows suspicious behavior
The file Xeno-v1.0.9-x64-New.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Legitimate hosting services abused for malware hosting/C2
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
Embeds OpenSSL
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:28
Signatures
Embeds OpenSSL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral27
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\libssl-3-x64.dll,#1
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
141s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\libssl-3-x64.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win7-20240903-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2532 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\XenoUI.exe | C:\Windows\system32\WerFault.exe |
| PID 2532 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\XenoUI.exe | C:\Windows\system32\WerFault.exe |
| PID 2532 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\XenoUI.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\XenoUI.exe
"C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\XenoUI.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2532 -s 500
Network
Files
memory/2532-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp
memory/2532-1-0x000000013FFD0000-0x000000013FFE6000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win7-20241010-en
Max time kernel
12s
Max time network
19s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\bin\Monaco\vs\editor\editor.main.js
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
144s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\Microsoft.Web.WebView2.WinForms.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\Microsoft.Web.WebView2.Wpf.dll,#1
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:29
Platform
win10v2004-20241007-en
Max time kernel
2s
Max time network
10s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\Xeno.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
136s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\libcrypto-3-x64.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
142s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\runtimes\win-x64\native\WebView2Loader.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win7-20241010-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\scripts\Dex.js
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:29
Platform
win7-20240903-en
Max time kernel
0s
Max time network
1s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\Microsoft.Web.WebView2.Core.dll,#1
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win7-20240708-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1952 wrote to memory of 2040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1952 wrote to memory of 2040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1952 wrote to memory of 2040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\libcrypto-3-x64.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1952 -s 88
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win7-20240903-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\Microsoft.Web.WebView2.WinForms.dll,#1
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
142s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\bin\Monaco\vs\loader.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\bin\Monaco\vs\editor\editor.main.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win7-20241023-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\Xeno.dll,#1
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:29
Platform
win10v2004-20241007-en
Max time kernel
13s
Max time network
13s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\Xeno.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\Xeno.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\Xeno.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\Xeno.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\Xeno.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\Xeno.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\Xeno.exe
"C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\Xeno.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win7-20241023-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\bin\Monaco\vs\editor\editor.main.nls.zh-cn.js
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\bin\Monaco\vs\editor\editor.main.nls.zh-cn.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win7-20240903-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\bin\Monaco\vs\loader.js
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
140s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\Microsoft.Web.WebView2.Core.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
146s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\Newtonsoft.Json.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\XenoUI.exe
"C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\XenoUI.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/2820-0-0x00007FFFDCBE3000-0x00007FFFDCBE5000-memory.dmp
memory/2820-1-0x0000021CB3BF0000-0x0000021CB3C06000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:29
Platform
win7-20240903-en
Max time kernel
0s
Max time network
5s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\Xeno.exe
"C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\Xeno.exe"
Network
Files
memory/552-0-0x00000000002E0000-0x00000000002E1000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win7-20241010-en
Max time kernel
118s
Max time network
129s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0a7c9700236db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b96000000000200000000001066000000010000200000006992f98088570ff3a254aee83f0dc8290c093e687fca0eb6c4aad884ac753b7e000000000e80000000020000200000000530955834f2965415772502ce8f515911a940362a51130d22d17ab222507b8190000000c26f416d27e2dd9f7b95b70f6f85f09f02c967feb03a96659f5019dbe5d8d6b13b8b2f9e4982679aaa01ee25686a951241c28837d3e3c24a1256f5ddb3adced89a05a8f8bbb75fd100937b775503285c34f71de8ba3b2e427beeab83c140997d9701f2c0988d8bddf60a0b6da5607040538105fc9f244d185d45a7353544d99bb9d8561957af1574e9bef3a6f4f0cd2b4000000058e3cd072e6852820298f39db9127780a5db36f88dc5b9ee6f1651d46fb0a515a6b3a9e11e155b5eb8d7796917711fb2bafbd26cf7297a2933b41fa09a872134 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9BDAD4E1-A1F5-11EF-BA1B-C670A0C1054F} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b96000000000200000000001066000000010000200000001642506d4bf3482badfd7bb0ece68c5d0221297104704bec83bfbffbef411c3c000000000e8000000002000020000000a9a8cd37f7ed08a4c4f3566026971b3e7a92d6367d0bdd99b422dd39694808bd200000005032e7c862cd2bee1ca97257db6917d231a8691eae017bd89c735bbcac83497c4000000052c11757c6e9e242628f8debd5b341eef5758eb9949339b3587bab8299a5ae9f1db9b3da3b9c1147f8b051a9d79506ab3a78d1d68ab36b788d474294373bcd43 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437688040" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2868 wrote to memory of 2244 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2868 wrote to memory of 2244 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2868 wrote to memory of 2244 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2868 wrote to memory of 2244 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\bin\Monaco\index.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab64ED.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar65F9.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a19ff0eebefa15bdbe6722590c5978dd |
| SHA1 | cf505722c253774c53ea3025cc000d944c26066f |
| SHA256 | e6586e5943d2136c36efbda8599ca4b12d89ba9c261733fc90af431bc6d36e3b |
| SHA512 | 1fe542e8f513c51d44895c72886ba110ededc82aec7325575fc80575219ddccc82a08a0c2de1ad2861e8ffb051c81573d2cbb9449c1c24a68a956bd913494db6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 75a9b71a4a9b2e7abeeea7eabf612f0d |
| SHA1 | 605ac2b07f5cd604bbbbed98c1a715dc327c8093 |
| SHA256 | d9774324654ad2a37306aa154a215ac4e0b14a6ed39332ad846104a227855666 |
| SHA512 | 7d4987d91807703cedd5ba32bac4c08faca0cb636062ccc7928b1d0d780247b0b1d07e48fbd4d4a2879e545333b43549cd5b8dd8a9cb25e4bba16ae0f7334fc4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 08b6dd11b5b4b5c97c8a249912a4cec2 |
| SHA1 | 7a0a629b3785b77a6424a3e11fef59de7c11822c |
| SHA256 | 32763a8f2e8c3254710801be041228c336396c1dbcf0546a63b51a51b941c81a |
| SHA512 | 6f675f298959f0633f34be4a6ba110979df0cdc1549ec2eefc2851d4198dcdfe4771f3f713cd2e74898c8c8ed2c66fdc6250c23cdd66e48036a178b3e709ab5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 769a9acfc1374623afe6bb3110231f49 |
| SHA1 | ec5e57038ab349af5a5d8c0785527f1f7e5d27f8 |
| SHA256 | 5b44c09a795a5f04b3ebe72960c4224d7192de202969c26a923b5734e2987a1b |
| SHA512 | 927c7e79ca09f6738961deb0ed0105a009e77ddd77ddc0a7f40135a4698d365393bd13119ca7656931d8ac8382ccbbea35406d6a5672a9f71793bae3b1f2758b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f1b4400e5215cc77de31207765a5e7ee |
| SHA1 | bc16eecb2bb7f32ff12434b8323dd7264a795877 |
| SHA256 | 952553e0e4bdc1757c80ca746dfed286424c49fb618a01d09bd9087c99906c1f |
| SHA512 | 203e85b6dcdb05e3a3a10dbd022677ab5ec27ba6f18682d7b8e744bcfe41d03b60b522e16c92f3c00aee31ed9d12dc6d824e0018046d0bb5269def5ac24da6e1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 06576a595df3d45715542da6db42b80e |
| SHA1 | baa5db7adf1a383e6b942c4aa7d4fd3cfb4e349e |
| SHA256 | 32a5c0d9cb4cc794dbcf043f1670acd8d3b12e2918e20776b7ea49cba71a5c43 |
| SHA512 | be3ad193b0df4dadd310656f90762320aa7780cf5fdc1046933dc78791fbc1d7846dac51c7bd3d4b170a352949eecda1f8197d5483559d42d24c3779e378c2dd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3a016edc8cb7bf3b8f94b44ec67e8457 |
| SHA1 | 2a273375706886e0c5ff4519bdb8bf4ee1fc41ab |
| SHA256 | 677a01d5c032cf0087a389663be648ccacf3ba634024a7d9a192f4c9645177c8 |
| SHA512 | 87fb0706eb5d7ca2d960b5e29b24fb9d27920c4882cb3be22c13802793e6755499308f534dd0c15e6078736e2856ae738cdbeaef9c1fd1cee91cd92b04a886bd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 07d0d04419c79055fe4ddbc704f3d037 |
| SHA1 | 304ab4a42bbfaa090363961fdea644252f6dfaa7 |
| SHA256 | a1937f7a1dfba71f51029404aa0a63f5b22b6fcd7261ccf8ebba1c61dd3687f7 |
| SHA512 | fa5f5e3d7c6dca626bf8d72a58feec193e63cb16fc5954c69746934d2edf1fa77b01b69fd25a196bf93af6ebae52a3712a2ca9b5bf82c533138f7440d70afdb0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ec1c58b279c1a60986ec978e98ca5d3c |
| SHA1 | 85ec2068d194af7ca55dd3a4f3a47b2df1508193 |
| SHA256 | bbe20e1bdef4aa6960a75fc2501b894337e9efe5ca1f63b0d061bbba06a605bf |
| SHA512 | bd8e7f227491c70dc9d290fa0b67ccc07647cb0d40c68b4666335de5cc47c2be8ec860514523f350b7afac21150ed7d033ef09d906b086fd46e2f3624cbae76b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d3cde7abd10858e6c6b5f8d2d6947704 |
| SHA1 | 982b6c58439013e836653d21ad0916821ef21328 |
| SHA256 | 0c573f2b1794f2c0e1057f8d28d4e883767ff684ecdff0e7b43d3604568a39da |
| SHA512 | d6226ce889210f227b28b3d22eda210d5d1ed0bfd1768b9327b8eca2aaea3697aab78dfb8ea6f5e965f3e80b58dad66bea83677d7e2551abfb6b4d2a5d408089 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2369b1ef8d002b3a24f4d129713e14ae |
| SHA1 | 05ff3b85539d21aa4e3a67adb3c05ca2e99f87da |
| SHA256 | cbffd3ca5efa6b971d9793c37386c0b69fe2e253966a11b00e9ba7866042f801 |
| SHA512 | e77479c6aced5f5187ff6d2340ed6e05e58bafe77a48b416c58d5dbc33df98cedfe179a2ce82b6e0579a11a59acc91343f64332f60da8b95b2b3b6d84578eed1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9514d9799b759fdca844982d66bf3ab5 |
| SHA1 | 61d3efef881b3153d429be4ce02bf3b366a13c1f |
| SHA256 | 0ade254a725c25c906c75bbd1cd451b1738b85cd7bfbc21ab90f0cb41b58f5fd |
| SHA512 | b8735e5eb2fd81a660d1d451cef86dabc9468bfeda68b4ab9e556f405b16624ea6414840b160a179662f8593d91ce4ddd673105c16c5efab7541e75aa0bce1c6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6c1a92ea71712bb6be63957ac85e6100 |
| SHA1 | c112b6aba4b8caf5ade685e99f4f9acc2d07343b |
| SHA256 | a7dbc00bbb4a81a2f8f4e356fa4177e3487afd1c919827a7ba16d599473c967d |
| SHA512 | b7ce47f71b5a42d5fda5fcb46b3583af9662eaa3de2885e58262cea4ee687e1a04a62e57908d104b29fca1deab8dff908c0f3f13d0592a7bf32e94a02c6f58e3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ca96be0c162e1e4d460ca844ecb226fc |
| SHA1 | 6f209f74cf9ccd93b3d70e26e6d6cc5de201c266 |
| SHA256 | edbd64819e31ba7734624b32bf3c9fa98435d9865e8ca6493ea04db14c3e7371 |
| SHA512 | a95acba52bd1144d276b9aadb9826ed9e3e78c3d7258c372cfdfb5eac288abb9d128c07960b9ed3ca871a02e51d924699344b3689ece86205b2a1b85a6dec08c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 77f8cb6205100ce42e9aade9b4ef6b9e |
| SHA1 | ab4ef80a906632e1b0b61f232240c4ace088e21a |
| SHA256 | 35c93dde4c5d5112ef4b35224ba1d18fa6fce2f531203e1396541c9b7050ad16 |
| SHA512 | 5f11dd166be707abb93430616b20331f70549459702d6c4c14178ac8f11bfdbe6c554eca7e6bff863bee5ff06dd6a0b00e6216021f6f3c84e3d6448d84568efa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 33a963ba0c20f680db9c1e9dcf7c368d |
| SHA1 | 7f14f49c74dd96418fa8ae76674d117aa6543a78 |
| SHA256 | 61e2ff914d03652f6226f1d39feae4231ef4fe9b19d8b7c2283f6d6240bec11b |
| SHA512 | fe69f4d499512799f8eed76e4c7ec7b0819ae41b3b95752a917c4ee7380aa7b6aa8df1babd8d0f2c28e60695f284d9f4495a55549c10340ed487caffe9edfcd3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9933e5aaa6a28abd0e4797cff7cfe252 |
| SHA1 | a4c5afa70db251df8ae3b8623e4f9747cd6fa60b |
| SHA256 | abab6325e767dd06cda496fb96c5e81a09af8603f930cac2ad88c2532e3fa875 |
| SHA512 | c3bc60c9b99b0b3f63969e6523fdc103dd5021bf219684b9877e2ad5ca6075c6a0a63ec38c396645a6624ff775ee4bd2349ee45bdafdddf35a5acec209f3925d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3373ee35dea1450b1b645d482a350012 |
| SHA1 | aaf37b6ab6b913706976d351eaa177571bab7b4a |
| SHA256 | c1347a8a69e1a367eb37b0babe8e567a5c6175b2412b54f7ca3140153f7030f0 |
| SHA512 | cc582860ce7e74159ad7fd68790a6c5e07688f575c042251c067f8db327b524d0316dfb44324481a7dcc782cbbd412cf34ee2b4022d9f559ec6e154471ae32c5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7c027810fe411a512bd5300aae001d20 |
| SHA1 | 07ad515c18542abf2888413df15b1375f8eb2703 |
| SHA256 | 760237a01423c0ba9595721350a0e991a9ec6cb09c0531051633af9a77add438 |
| SHA512 | 7a482ace53e6abc629238657626de4c2d5252553a9503d2368877c7865a0bf1075d9a91ad6ac7e3b6a23c48bf9a07e5bddcce36006dc32fb790d73dd61155612 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9a2108eead2eea58ee0b67fa4cf48631 |
| SHA1 | 874e850164bb5b051b38fe566fada052d1335c71 |
| SHA256 | 55d59822750055018fd77e07a6f1a8f994d46e6c2223dd81433b6db329c93fac |
| SHA512 | 4cf64e3dc1ac09c857df7e2b666685604a004d9af545e74709cb7c8c5b688d5c2486ddc98bf594cff8937eefd28be01eb2a6709578cb2c21ae0159e55210a65e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d6b370079ba26234f47e1a8207e49290 |
| SHA1 | d5d050de965c53125277f951603c7261b6efa73a |
| SHA256 | c35b0dff765a9c2868e112c18bb811a325a91a26bd9baa1bcae2598fd8d8cc31 |
| SHA512 | d420cd56f7a8cc52bf6c799680798d70c12e58c22ca14fb3e11afbee663048e934bfef029a66f0132d9186bfd5d5a835522ccf6e5c8b55dcb06823b174832764 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5f26d89d0b51bb0444edc25449300fd0 |
| SHA1 | c1ddc02a6fa0e59c12852e6113fef47e97ff2915 |
| SHA256 | 6c33ff4294a7dd3cf4e057f621c9a285749f26016682ba17f7e9a314019a6f99 |
| SHA512 | 2919d4f311f75b99f8f34862163c7c011477197097a1be9fef7ddf5e795b8929a44d100152007ab79e67ddd0b9eb98362fe97ff66e9ed235db7a751d93883ec4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 65855a552fb9a1fd0ad1125b62518dd6 |
| SHA1 | e6d1c9bdf289b694764bb288e7855c791fcecd2b |
| SHA256 | 3aec7ebf7e976c974c33793730eeeed52078b3730bfdb4fc9b05b80473537d24 |
| SHA512 | bc0f40a192c9ae827593b8b6c783501e9324e186b86504904ad356f03c4932afc7c083332256bf9812c5369e0f20b0cc1941c6e64f54eb847dab16cc68784775 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c3be5e9a2c55ad0b2bb1b82bdd5ab26f |
| SHA1 | a5d802ed8077e5f72ab588560809a224b15a461a |
| SHA256 | 4cd67685711f0f710b2dd2ac3848e34b8684b04bfbf8710ced876e6dd300b301 |
| SHA512 | 3c1669ba147b6b2ff61514338fb05fd3d99fa4595fa12a470066bc5a8348eb0c57ba4f893b90dd7169044829c3252a773c72aa49b1da6298d7251059a4d0cd9d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3685a4894b2091056f2678c5d905c2b0 |
| SHA1 | dd95f2f44dcd109ff7d79fa33d6e4a46cd3f81df |
| SHA256 | 95d6e1265f0333e57b27409f1e4429e8a4cea16e65cd834bf9d38702661bfe81 |
| SHA512 | d82a1ac4dba34a2c0f4d55b196db97d9fe67e9077c12d01b80767f521a8a1831dd8fb2074eec9720ed254fc7663a5855aa75d97dda3a876cb3b5d04960cc09f7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b53c8b4f8c752bbe617c909c63f7e582 |
| SHA1 | a3a65ce496dd4c08456390768d2de60bdf1b0ab3 |
| SHA256 | 256e103437d3033231e9fcccbd7470cebe17d4fcf4f13b1eec0f71fb8016a345 |
| SHA512 | b81166adc9d0d0d15598eaa827e3131a9dbbbeded0b9b736d01e27deadf892057fbb5d1c1755b1ad434e2960fc8e207f5c4b6074b289a87f4187cd2bb0e2cf28 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 23062ee1ca5aa6194cbb187dff4996c8 |
| SHA1 | cc4fafa6a32eb31854552509df774309a8da055a |
| SHA256 | 4c052d2bd5a097075def17151a850cb1c3d37be862e1afbf0536b04ec61aed9d |
| SHA512 | a99059155bcf5a1c589d117a669b6d6ced4bd8d8772efe0ce37bf82a69753c4d3910473702ba59a89807296bed2a0077f3bee7741bd27e77c7099a52c631f678 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e36e2b036c679696badab55c7ee91f36 |
| SHA1 | fc7cc04985cf90927393cce0932ab15e4e419f11 |
| SHA256 | 3081b514cb44ff0e0950c9d38b1dd99ea25e2bd70eb45e01db1bc51b0a6f38a4 |
| SHA512 | f9bb39db952f039445ff3c80805acaf690ef939e5c293ca77a8fb9ea7f1996bb8e3990540f35b25dec11ce7ecde445e545274e47137d8f5d759738ee28c1dce0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dd4191297c53777be1673db8ae4b06e6 |
| SHA1 | 0b96ad617a11d8a04c904333fad43da5f3f04a47 |
| SHA256 | e2de3132581eb48d995ac59ebed834ae3f50c81f3ce081e059de401a26806b61 |
| SHA512 | f76385dca0413c5e416913ca201eaf90d68ebc8d81763d93c028f7e1efd25580e9bd822d2dcfd62f450ef7e688a20b454e7c49f2dee10019f5a145c5bc998417 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f23f35bfca192aefdc9f35e16288d23a |
| SHA1 | 3bc739de230bcc6eb7a6812295d6e61023d008a4 |
| SHA256 | 06655602c475095eeb1a274398c90165c058ab2ac91ef8c41a296a05ddfcdcd2 |
| SHA512 | aef0f5a9806f5bd2429c08a688e919d132b24ba3fb7c8610b7fe83c5e3ac10864d34525f02fbfcdbbe946eb26e04c286644eed063898c31156fda99004315bc9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3b0036f8122c2feb35bbafa48dca1490 |
| SHA1 | b49707e9cf3b60d03db60c8f5ebb0cfae9731b93 |
| SHA256 | f25b4c0e6b9e8b01e6ff9b86e5b3efffe21b29acc6b503318f16327cad4b1fdb |
| SHA512 | 0c85fcf8beacb4c220d94cc1766fee922a62d2c61e645f9fb4feefb1ab5f751ed80c02cf15884265e36d0bedaadb1bcb94e0718ec48955929081cdeb472c0c91 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dd7cd9395fc5ff8dfc5ed409b7f6a7ad |
| SHA1 | e46a98d53ec8bf1450b2f9e4ea5c6582a5bfd9c6 |
| SHA256 | 20c6ef7ab0b813f1fea698539b825f4a2a3bc22266419718cacf40b7ec20a074 |
| SHA512 | a8f0350815bb54338edbdb5e48d619585e561a25d99225acec9ba18ef698bbdbaeb6cc7f42ae11b4672d221c745a0c3a0ba3f2a4d6bd23877d880b0ac2f69649 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4038ae311ff9ae8d9fb20153fdeab739 |
| SHA1 | 76eaa85fd4ef6ad32b37c618141d25e134121ff5 |
| SHA256 | f1df62180df33784ad043d9b6f73a6a4d51389b8544e40de21ff697c61dbf620 |
| SHA512 | 5dc7eb542acf5e84b11bede463fbcb846dcc8711095d0cda4e5093359b8caeb63ed98bb2c551ca8214acec582da2bd26d1bb8c0a7ab9bea433331247771770fe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 39c7a05cc9271a2e9c7b14a195b57080 |
| SHA1 | baa0e023f1254f1a41eed9a8e0f1a12b54236c5f |
| SHA256 | b6a7ab981ecebacb562ae8998d06f5f6e0f7b5d04c78b0d2e6105cbd4039bc88 |
| SHA512 | 827c74eb41737fc7f165a05a4ec8d2972707495f4a589b0b19ec6ba31f58e9b626e4952e0cc595f59c3801aa82c75d2fbe067e9241bcba9605bd9058c0b85bbb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 935e1c2f6d46882c40d992c65eb97671 |
| SHA1 | a53b4cc4cafc9f1e21afb7416bcf5ffe8f4dbfda |
| SHA256 | 47f50ea207bc4600fb8613d9e175a873bbb756b0d628a103d2f7626d12a87c13 |
| SHA512 | 5f8547d34a4548d38767859d722e808227309bcba301909193b8f90429631c50b1f17079b601495f2243a5053f523e68795d4a18d09969ad45ee0b2ef1831b8a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2538c82d95771973ae388ea6a73f9b80 |
| SHA1 | 9c5b6adb95d1bcba5621f736ded552507ac7bcd8 |
| SHA256 | e4c5ddd72f71a04da2eb8ecffd2142b8e5338cfc1cc01b5a458efae73739e56b |
| SHA512 | 3afd3861dca868f431ff2947f10ddd06c8655e3981e55d2a642a3442c43af0dae58159465e73f4c4e2a8ef2cda351e99bec0efddfd6abe916f43ef8964c25c47 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 61cc615a30e981a949e72cd6e5cf7cb5 |
| SHA1 | bf7d6c5558787d29a1bc0a8076d120f8a71ec83c |
| SHA256 | 051c7e4158985cbe5eac053da2036c9dc27fef09dc2df10945d2014b675b6f22 |
| SHA512 | 8ea47b34977c8ceb3f4d676d10cb82db61d9f7227ca45e280f8f08f0a1c70b5c5c746803aec6196e87f52642b2b092ae567ef6005133d330ea348166df9ab867 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8499e0d0bc7388fb4ac14c79253b99c8 |
| SHA1 | 8814ca50cd62d6a27d8d4ecc454e0ac38a38b7b6 |
| SHA256 | b4c092956659a4571c133f718e4b14ade190526f0e87fb3a279a540258f9c910 |
| SHA512 | 8b016a6d830d774500a83208b3b35800457e1b8b0ef33b753f44aba211790487269742c221a33432fffc60204d7e9ee8f84e778bc429456ef9b9ed69d93e944b |
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
138s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\bin\Monaco\index.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa56346f8,0x7fffa5634708,0x7fffa5634718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,4560748080173143369,18115230187627741139,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,4560748080173143369,18115230187627741139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,4560748080173143369,18115230187627741139,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,4560748080173143369,18115230187627741139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,4560748080173143369,18115230187627741139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,4560748080173143369,18115230187627741139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,4560748080173143369,18115230187627741139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,4560748080173143369,18115230187627741139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,4560748080173143369,18115230187627741139,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,4560748080173143369,18115230187627741139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,4560748080173143369,18115230187627741139,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,4560748080173143369,18115230187627741139,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1864 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f426165d1e5f7df1b7a3758c306cd4ae |
| SHA1 | 59ef728fbbb5c4197600f61daec48556fec651c1 |
| SHA256 | b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841 |
| SHA512 | 8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6 |
\??\pipe\LOCAL\crashpad_4280_YGWBJDNFTMPLEORY
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 6960857d16aadfa79d36df8ebbf0e423 |
| SHA1 | e1db43bd478274366621a8c6497e270d46c6ed4f |
| SHA256 | f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32 |
| SHA512 | 6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a5ee25a354c12e324761439fec036b46 |
| SHA1 | a9fe3c7b05caf4028041823f241511d8f849e2fc |
| SHA256 | 56de8792e99466915e49e5934dd4dd182f01d34607980e0779c23f51b4728d0d |
| SHA512 | a5f633043a1158b427eb6d940bf4906d32a135b53b548788229c67c5cb0bbf3694b80e6052f0308d4d9ee135fb444352b07a6d90ba31cb9c6f966185b295f7e6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f5055aa566f037f59e32642d2c83e3a0 |
| SHA1 | 574c6432657b8f7dd804af4bd00cab2e53531062 |
| SHA256 | 1d256e81c9c6f91ee2f1a3f33ad145496214779428080e9fb99676ba5a4f3fdb |
| SHA512 | 861add09e928469619bc39679f1cbeea043d4be6d66bff0b4316ef251ab0f001fff50577ab1714f232d72e6d98aaae5bb7b7c3879abe763e645516384e253d58 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9f00205060c7f287731e73d973dea9cb |
| SHA1 | bd87df7093c94e9f7085728da2045f3a705e8f80 |
| SHA256 | 5b1ed744da53c7b8092bac5ae253e9c98e8b5212da632fdf20839810094ca7e6 |
| SHA512 | 9fc0d1f64e44e41e20d99ef2a27315a146f4a1b9309edb5f3151c91172b41eca2031b7860e5b825722489835f9d277541047555ec53aa0a9487ad238f7ec31ed |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 62fc8758c85fb0d08cd24eeddafeda2c |
| SHA1 | 320fc202790b0ca6f65ff67e9397440c7d97eb20 |
| SHA256 | ee0d15dce841e092ad1a2d4346a612410f8f950fdb019bc7b768f6346f2b5248 |
| SHA512 | ca97e615bdcac137a936c10104a702e1529ed3470828f2c3a2f783345ebbef04cac8c051df636c714151671efea53a9b8912b6b0d0b5eafdac5fae1dfdc8f85d |
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win7-20240903-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\bin\Monaco\vs\base\worker\workerMain.js
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win10v2004-20241007-en
Max time kernel
91s
Max time network
145s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\bin\Monaco\vs\base\worker\workerMain.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1368 wrote to memory of 1488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1368 wrote to memory of 1488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1368 wrote to memory of 1488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\runtimes\win-x86\native\WebView2Loader.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\runtimes\win-x86\native\WebView2Loader.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1488 -ip 1488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
142s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\scripts\Dex.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\Microsoft.Web.WebView2.Wpf.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:32
Platform
win7-20240729-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New\Newtonsoft.Json.dll,#1