Windows Analysis Report
Xeno.exe

AV Detection

Source: Xeno.exe

Avira: detected

Source: distance-av.gl.at.ply.gg	Avira URL Cloud: Label: malware
Source: distance-av.gl.at.ply.gg:18726	Avira URL Cloud: Label: malware

Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Roaming\WinService.exe	Avira: detection malicious, Label: TR/Spy.Gen

Source: 00000001.00000002.1232584353.00000000032C5000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["distance-av.gl.at.ply.gg", "distance-av.gl.at.ply.gg:18726", "127.0.0.1:2028"], "Port": 18726, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Source: C:\Users\user\AppData\Roaming\WinService.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	ReversingLabs: Detection: 91%

Source: Xeno.exe	Virustotal: Detection: 50%			Perma Link
Source: Xeno.exe	ReversingLabs: Detection: 66%

Source: Submited Sample

Neural Call Log Analysis: 99.9%

Source: 00000001.00000002.1232584353.00000000032C5000.00000004.00000800.00020000.00000000.sdmp	String decryptor: distance-av.gl.at.ply.gg,distance-av.gl.at.ply.gg:18726,127.0.0.1:2028
Source: 00000001.00000002.1232584353.00000000032C5000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 18726
Source: 00000001.00000002.1232584353.00000000032C5000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 00000001.00000002.1232584353.00000000032C5000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000001.00000002.1232584353.00000000032C5000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XWorm V5.6
Source: 00000001.00000002.1232584353.00000000032C5000.00000004.00000800.00020000.00000000.sdmp	String decryptor: USB.exe
Source: 00000001.00000002.1232584353.00000000032C5000.00000004.00000800.00020000.00000000.sdmp	String decryptor: %AppData%
Source: 00000001.00000002.1232584353.00000000032C5000.00000004.00000800.00020000.00000000.sdmp	String decryptor: WinService.exe

Compliance

Source: Xeno.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Xeno.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Source: Malware configuration extractor	URLs: distance-av.gl.at.ply.gg
Source: Malware configuration extractor	URLs: distance-av.gl.at.ply.gg:18726
Source: Malware configuration extractor	URLs: 127.0.0.1:2028

Source: global traffic

TCP traffic: 147.185.221.20 ports 1,2,6,7,8,18726

Source: global traffic

TCP traffic: 192.168.2.4:49718 -> 147.185.221.20:18726

Source: Joe Sandbox View

IP Address: 147.185.221.20 147.185.221.20

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: distance-av.gl.at.ply.gg

Source: xeno stub.exe, 00000002.00000002.3669567650.0000000003171000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: xeno stub.exe.1.dr, XLogger.cs	.Net Code: KeyboardLayout
Source: 1.2.Xeno.exe.32df8d0.5.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 1.2.Xeno.exe.32d5c90.4.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: WinService.exe.2.dr, XLogger.cs	.Net Code: KeyboardLayout

Operating System Destruction

Source: C:\Users\user\AppData\Roaming\xeno stub.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Source: 2.0.xeno stub.exe.e30000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 2.0.xeno stub.exe.e30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.Xeno.exe.32df8d0.5.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 1.2.Xeno.exe.32df8d0.5.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.Xeno.exe.32d5c90.4.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 1.2.Xeno.exe.32d5c90.4.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.Xeno.exe.32d5c90.4.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 1.2.Xeno.exe.32d5c90.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.Xeno.exe.32df8d0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 1.2.Xeno.exe.32df8d0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000000.1216993918.0000000000E32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000002.1232584353.00000000032C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\xeno stub.exe, type: DROPPED	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\xeno stub.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\WinService.exe, type: DROPPED	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\WinService.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\Xeno.exe	Code function: 1_2_00007FFC3DBB089D		1_2_00007FFC3DBB089D
Source: C:\Users\user\Desktop\Xeno.exe	Code function: 1_2_00007FFC3DBB0B40		1_2_00007FFC3DBB0B40
Source: C:\Users\user\Desktop\Xeno.exe	Code function: 1_2_00007FFC3DBB2D40		1_2_00007FFC3DBB2D40
Source: C:\Users\user\Desktop\Xeno.exe	Code function: 1_2_00007FFC3DBB0500		1_2_00007FFC3DBB0500
Source: C:\Users\user\Desktop\Xeno.exe	Code function: 1_2_00007FFC3DBBAD00		1_2_00007FFC3DBBAD00
Source: C:\Users\user\Desktop\Xeno.exe	Code function: 1_2_00007FFC3DBB408B		1_2_00007FFC3DBB408B
Source: C:\Users\user\Desktop\Xeno.exe	Code function: 1_2_00007FFC3DBB807F		1_2_00007FFC3DBB807F
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Code function: 2_2_00007FFC3DBA146D		2_2_00007FFC3DBA146D
Source: C:\Users\user\AppData\Roaming\WinService.exe	Code function: 15_2_00007FFC3DB71C59		15_2_00007FFC3DB71C59
Source: C:\Users\user\AppData\Roaming\WinService.exe	Code function: 15_2_00007FFC3DB7146D		15_2_00007FFC3DB7146D
Source: C:\Users\user\AppData\Roaming\WinService.exe	Code function: 17_2_00007FFC3DBA146D		17_2_00007FFC3DBA146D
Source: C:\Users\user\AppData\Roaming\WinService.exe	Code function: 18_2_00007FFC3DB91C59		18_2_00007FFC3DB91C59
Source: C:\Users\user\AppData\Roaming\WinService.exe	Code function: 18_2_00007FFC3DB9146D		18_2_00007FFC3DB9146D
Source: C:\Users\user\AppData\Roaming\WinService.exe	Code function: 19_2_00007FFC3DB91C59		19_2_00007FFC3DB91C59
Source: C:\Users\user\AppData\Roaming\WinService.exe	Code function: 19_2_00007FFC3DB9146D		19_2_00007FFC3DB9146D
Source: C:\Users\user\AppData\Roaming\WinService.exe	Code function: 22_2_00007FFC3DBA146D		22_2_00007FFC3DBA146D
Source: C:\Users\user\AppData\Roaming\WinService.exe	Code function: 24_2_00007FFC3DB71C59		24_2_00007FFC3DB71C59
Source: C:\Users\user\AppData\Roaming\WinService.exe	Code function: 24_2_00007FFC3DB7146D		24_2_00007FFC3DB7146D
Source: C:\Users\user\AppData\Roaming\WinService.exe	Code function: 25_2_00007FFC3DB91C59		25_2_00007FFC3DB91C59
Source: C:\Users\user\AppData\Roaming\WinService.exe	Code function: 25_2_00007FFC3DB9146D		25_2_00007FFC3DB9146D

Source: Xeno.exe, 00000001.00000002.1232584353.00000000032C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamexeno stub.exe4 vs Xeno.exe
Source: Xeno.exe, 00000001.00000002.1232384101.00000000016D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameOutput.exe4 vs Xeno.exe
Source: Xeno.exe, 00000001.00000000.1208183980.0000000000F52000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenameOutput.exe4 vs Xeno.exe
Source: Xeno.exe	Binary or memory string: OriginalFilenameOutput.exe4 vs Xeno.exe

Source: Xeno.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.0.xeno stub.exe.e30000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 2.0.xeno stub.exe.e30000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.Xeno.exe.32df8d0.5.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 1.2.Xeno.exe.32df8d0.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.Xeno.exe.32d5c90.4.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 1.2.Xeno.exe.32d5c90.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.Xeno.exe.32d5c90.4.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 1.2.Xeno.exe.32d5c90.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.Xeno.exe.32df8d0.5.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 1.2.Xeno.exe.32df8d0.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000000.1216993918.0000000000E32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000002.1232584353.00000000032C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\xeno stub.exe, type: DROPPED	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: C:\Users\user\AppData\Roaming\xeno stub.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\WinService.exe, type: DROPPED	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: C:\Users\user\AppData\Roaming\WinService.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: Xeno.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: xeno stub.exe.1.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: xeno stub.exe.1.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: xeno stub.exe.1.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Xeno.exe.32df8d0.5.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Xeno.exe.32df8d0.5.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Xeno.exe.32df8d0.5.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Xeno.exe.32d5c90.4.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Xeno.exe.32d5c90.4.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.Xeno.exe.32d5c90.4.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: WinService.exe.2.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: WinService.exe.2.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: xeno stub.exe.1.dr, Settings.cs	Base64 encoded string: 'Knb9Q5krNVj35s1cygU/GMUjgxsmOohhLxUrjGbuoUfxxc9Rg6kesg+qofSaR1AxfvX6IywjPA6+Vcc1RKz8dTb7Icp39sRCE/nGU1VQ0so='
Source: 1.2.Xeno.exe.32df8d0.5.raw.unpack, Settings.cs	Base64 encoded string: 'Knb9Q5krNVj35s1cygU/GMUjgxsmOohhLxUrjGbuoUfxxc9Rg6kesg+qofSaR1AxfvX6IywjPA6+Vcc1RKz8dTb7Icp39sRCE/nGU1VQ0so='
Source: 1.2.Xeno.exe.32d5c90.4.raw.unpack, Settings.cs	Base64 encoded string: 'Knb9Q5krNVj35s1cygU/GMUjgxsmOohhLxUrjGbuoUfxxc9Rg6kesg+qofSaR1AxfvX6IywjPA6+Vcc1RKz8dTb7Icp39sRCE/nGU1VQ0so='
Source: WinService.exe.2.dr, Settings.cs	Base64 encoded string: 'Knb9Q5krNVj35s1cygU/GMUjgxsmOohhLxUrjGbuoUfxxc9Rg6kesg+qofSaR1AxfvX6IywjPA6+Vcc1RKz8dTb7Icp39sRCE/nGU1VQ0so='

Source: WinService.exe.2.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: WinService.exe.2.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Xeno.exe.32df8d0.5.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.Xeno.exe.32df8d0.5.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.Xeno.exe.32d5c90.4.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.Xeno.exe.32d5c90.4.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: xeno stub.exe.1.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: xeno stub.exe.1.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/8@1/1

Source: C:\Users\user\Desktop\Xeno.exe

File created: C:\Users\user\AppData\Roaming\xeno stub.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Mutant created: \Sessions\1\BaseNamedObjects\CpyzsDbQfEVux4Zo
Source: C:\Users\user\AppData\Roaming\WinService.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Users\user\Desktop\Xeno.exe	Mutant created: \Sessions\1\BaseNamedObjects\l1t2Qxkgd831QDErY
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7776:120:WilError_03

Source: C:\Users\user\AppData\Roaming\xeno stub.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Xeno.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\xeno.bat" "

Source: Xeno.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Xeno.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Xeno.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Xeno.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Xeno.exe	Virustotal: Detection: 50%
Source: Xeno.exe	ReversingLabs: Detection: 66%

Source: unknown	Process created: C:\Users\user\Desktop\Xeno.exe "C:\Users\user\Desktop\Xeno.exe"
Source: C:\Users\user\Desktop\Xeno.exe	Process created: C:\Users\user\AppData\Roaming\xeno stub.exe "C:\Users\user\AppData\Roaming\xeno stub.exe"
Source: C:\Users\user\Desktop\Xeno.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\xeno.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode con: cols=69 lines=16
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 3
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinService" /tr "C:\Users\user\AppData\Roaming\WinService.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WinService.exe C:\Users\user\AppData\Roaming\WinService.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WinService.exe "C:\Users\user\AppData\Roaming\WinService.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WinService.exe "C:\Users\user\AppData\Roaming\WinService.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WinService.exe C:\Users\user\AppData\Roaming\WinService.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WinService.exe C:\Users\user\AppData\Roaming\WinService.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WinService.exe C:\Users\user\AppData\Roaming\WinService.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WinService.exe C:\Users\user\AppData\Roaming\WinService.exe
Source: C:\Users\user\Desktop\Xeno.exe	Process created: C:\Users\user\AppData\Roaming\xeno stub.exe "C:\Users\user\AppData\Roaming\xeno stub.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\xeno.bat" "			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinService" /tr "C:\Users\user\AppData\Roaming\WinService.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode con: cols=69 lines=16			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 3			Jump to behavior

Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: sxs.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: scrrun.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: linkinfo.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: ntshrui.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: cscapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll			Jump to behavior
Source: C:\Windows\System32\mode.com	Section loaded: ulib.dll			Jump to behavior
Source: C:\Windows\System32\mode.com	Section loaded: ureg.dll			Jump to behavior
Source: C:\Windows\System32\mode.com	Section loaded: fsutilext.dll			Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll			Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Section loaded: cryptbase.dll			Jump to behavior

Source: C:\Users\user\Desktop\Xeno.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: WinService.lnk.2.dr

LNK file: ..\..\..\..\..\WinService.exe

Source: C:\Users\user\Desktop\Xeno.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Xeno.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Xeno.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: xeno stub.exe.1.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: xeno stub.exe.1.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.Xeno.exe.32df8d0.5.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.Xeno.exe.32df8d0.5.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.Xeno.exe.32d5c90.4.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.Xeno.exe.32d5c90.4.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: WinService.exe.2.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: WinService.exe.2.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

Source: xeno stub.exe.1.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: xeno stub.exe.1.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: xeno stub.exe.1.dr, Messages.cs	.Net Code: Memory
Source: 1.2.Xeno.exe.32df8d0.5.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 1.2.Xeno.exe.32df8d0.5.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 1.2.Xeno.exe.32df8d0.5.raw.unpack, Messages.cs	.Net Code: Memory
Source: 1.2.Xeno.exe.32d5c90.4.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 1.2.Xeno.exe.32d5c90.4.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 1.2.Xeno.exe.32d5c90.4.raw.unpack, Messages.cs	.Net Code: Memory
Source: WinService.exe.2.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: WinService.exe.2.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: WinService.exe.2.dr, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\Xeno.exe	Code function: 1_2_00007FFC3DBB1398 push es; ret		1_2_00007FFC3DBB139A
Source: C:\Users\user\Desktop\Xeno.exe	Code function: 1_2_00007FFC3DBB1339 push es; ret		1_2_00007FFC3DBB134A
Source: C:\Users\user\Desktop\Xeno.exe	Code function: 1_2_00007FFC3DBB2EE8 push edi; ret		1_2_00007FFC3DBB2F1A
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Code function: 2_2_00007FFC3DBA05A0 push ebx; retf FFEFh		2_2_00007FFC3DBA062A
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Code function: 2_2_00007FFC3DBA213D push E95DDE3Fh; iretd		2_2_00007FFC3DBA2189
Source: C:\Users\user\AppData\Roaming\WinService.exe	Code function: 15_2_00007FFC3DB705A0 push ebx; retf FFEFh		15_2_00007FFC3DB7062A
Source: C:\Users\user\AppData\Roaming\WinService.exe	Code function: 17_2_00007FFC3DBA05A0 push ebx; retf FFEFh		17_2_00007FFC3DBA062A
Source: C:\Users\user\AppData\Roaming\WinService.exe	Code function: 18_2_00007FFC3DB905A0 push ebx; retf FFEFh		18_2_00007FFC3DB9062A
Source: C:\Users\user\AppData\Roaming\WinService.exe	Code function: 19_2_00007FFC3DB905A0 push ebx; retf FFEFh		19_2_00007FFC3DB9062A
Source: C:\Users\user\AppData\Roaming\WinService.exe	Code function: 22_2_00007FFC3DBA05A0 push ebx; retf FFEFh		22_2_00007FFC3DBA062A
Source: C:\Users\user\AppData\Roaming\WinService.exe	Code function: 24_2_00007FFC3DB705A0 push ebx; retf FFEFh		24_2_00007FFC3DB7062A
Source: C:\Users\user\AppData\Roaming\WinService.exe	Code function: 25_2_00007FFC3DB905A0 push ebx; retf FFEFh		25_2_00007FFC3DB9062A

Source: Xeno.exe

Static PE information: section name: .text entropy: 7.923617052059288

Persistence and Installation Behavior

Source: C:\Users\user\AppData\Roaming\xeno stub.exe	File created: C:\Users\user\AppData\Roaming\WinService.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Xeno.exe	File created: C:\Users\user\AppData\Roaming\xeno stub.exe			Jump to dropped file

Boot Survival

Source: C:\Users\user\AppData\Roaming\xeno stub.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinService" /tr "C:\Users\user\AppData\Roaming\WinService.exe"

Source: C:\Users\user\AppData\Roaming\xeno stub.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinService.lnk

Jump to behavior

Source: C:\Users\user\AppData\Roaming\xeno stub.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinService.lnk

Jump to behavior

Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinService			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinService			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\Xeno.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\Xeno.exe	Memory allocated: 14A0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Memory allocated: 1B2A0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Memory allocated: 1570000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Memory allocated: 1B170000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Memory allocated: 1360000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Memory allocated: 1ADC0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Memory allocated: 1250000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Memory allocated: 1AEC0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Memory allocated: 2080000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Memory allocated: 1A2B0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Memory allocated: 9E0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Memory allocated: 1A660000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Memory allocated: 1720000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Memory allocated: 1AF20000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Memory allocated: 1690000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Memory allocated: 1B1F0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Memory allocated: 1060000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Memory allocated: 1ABA0000 memory reserve | memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\Xeno.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Roaming\xeno stub.exe

Window / User API: threadDelayed 9653

Jump to behavior

Source: C:\Users\user\Desktop\Xeno.exe TID: 7484	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe TID: 7916	Thread sleep time: -328000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe TID: 7916	Thread sleep time: -9653000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe TID: 6236	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe TID: 2920	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe TID: 7624	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe TID: 1372	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe TID: 5764	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe TID: 3344	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe TID: 7860	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\xeno stub.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Xeno.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: xeno stub.exe, 00000002.00000002.3672508563.000000001C1B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW24%SystemRoot%\system32\mswsock.dll5341310004000001000100B5FC90E7027F67871E773A8FDE8938C81DD402BA65B9201D60593E96C492651E889CC13F1415EBB53FAC1131AE0BD333C5EE6021672D9718EA31A8AEBD0DA0072F25D87DBA6FC90FFD598ED4DA35E44C398C454307E8E33B8426143DAEC9F596836F97C8F74750E5975C64E2189F,
Source: Xeno.exe, 00000001.00000002.1233032417.000000001C2D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Roaming\xeno stub.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Xeno.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\Xeno.exe	Process created: C:\Users\user\AppData\Roaming\xeno stub.exe "C:\Users\user\AppData\Roaming\xeno stub.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Xeno.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\xeno.bat" "			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinService" /tr "C:\Users\user\AppData\Roaming\WinService.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode con: cols=69 lines=16			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 3			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\Xeno.exe	Queries volume information: C:\Users\user\Desktop\Xeno.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Queries volume information: C:\Users\user\AppData\Roaming\xeno stub.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xeno stub.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Queries volume information: C:\Users\user\AppData\Roaming\WinService.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Queries volume information: C:\Users\user\AppData\Roaming\WinService.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Queries volume information: C:\Users\user\AppData\Roaming\WinService.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Queries volume information: C:\Users\user\AppData\Roaming\WinService.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Queries volume information: C:\Users\user\AppData\Roaming\WinService.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Queries volume information: C:\Users\user\AppData\Roaming\WinService.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WinService.exe	Queries volume information: C:\Users\user\AppData\Roaming\WinService.exe VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Xeno.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: 2.0.xeno stub.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Xeno.exe.32df8d0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Xeno.exe.32d5c90.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Xeno.exe.32d5c90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Xeno.exe.32df8d0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1216993918.0000000000E32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1232584353.00000000032C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xeno.exe PID: 7460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xeno stub.exe PID: 7540, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\xeno stub.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WinService.exe, type: DROPPED

Remote Access Functionality

Source: Yara match	File source: 2.0.xeno stub.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Xeno.exe.32df8d0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Xeno.exe.32d5c90.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Xeno.exe.32d5c90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Xeno.exe.32df8d0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1216993918.0000000000E32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1232584353.00000000032C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xeno.exe PID: 7460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xeno stub.exe PID: 7540, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\xeno stub.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WinService.exe, type: DROPPED