exelastealer | d40fe4d7db58f613c6c0ff92fdd6f4af4266c80beaf395fc53b6b18978ae357e

Analysis

max time kernel
110s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2024 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4cd49f80e7015a4dbe70ace0e353320N.exe
Size

9.5MB
MD5

e4cd49f80e7015a4dbe70ace0e353320
SHA1

46b4d254c1e544ef4d1aae69e863a2aad0eb7530
SHA256

d40fe4d7db58f613c6c0ff92fdd6f4af4266c80beaf395fc53b6b18978ae357e
SHA512

f14a33ba03f8a25384c3b340cf7782b5778646162ffd031039fcdf08bc4b48e4d26b78992f733a7de1c32b641dfd8ace12b738088f0282aa454d9cc72ccd1822
SSDEEP

98304:mMUl3vDNDpzWewc8V9thtQshR5dHv8MMhJMjarOa7ObO/OH9KkqyW1jgeDCoO9An:m1B1zW9Jb3tQk5tEB6yj+K0WKVqUnvg

Score

10^/10

exelastealer collection credential_access defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4232	netsh.exe
4692	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2652	cmd.exe
1376	powershell.exe

Loads dropped DLL 26 IoCs

pid	Process
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe
2324	e4cd49f80e7015a4dbe70ace0e353320N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023458-40.dat	upx
behavioral2/memory/2324-44-0x00007FF99E840000-0x00007FF99ECA6000-memory.dmp	upx
behavioral2/files/0x0007000000023430-46.dat	upx
behavioral2/memory/2324-52-0x00007FF9B2AA0000-0x00007FF9B2AC4000-memory.dmp	upx
behavioral2/files/0x0007000000023439-71.dat	upx
behavioral2/files/0x0007000000023438-70.dat	upx
behavioral2/files/0x0007000000023437-69.dat	upx
behavioral2/files/0x0007000000023436-68.dat	upx
behavioral2/files/0x0007000000023435-67.dat	upx
behavioral2/files/0x0007000000023434-66.dat	upx
behavioral2/files/0x0007000000023433-65.dat	upx
behavioral2/files/0x0007000000023432-64.dat	upx
behavioral2/files/0x0007000000023431-63.dat	upx
behavioral2/files/0x000700000002342f-62.dat	upx
behavioral2/files/0x000700000002342e-61.dat	upx
behavioral2/files/0x000700000002342d-60.dat	upx
behavioral2/files/0x000700000002345b-59.dat	upx
behavioral2/files/0x000700000002345a-58.dat	upx
behavioral2/files/0x0007000000023459-57.dat	upx
behavioral2/files/0x0007000000023456-56.dat	upx
behavioral2/files/0x0007000000023453-55.dat	upx
behavioral2/files/0x0007000000023451-54.dat	upx
behavioral2/memory/2324-73-0x00007FF9B2AF0000-0x00007FF9B2AFF000-memory.dmp	upx
behavioral2/files/0x0007000000023452-53.dat	upx
behavioral2/memory/2324-75-0x00007FF9AE850000-0x00007FF9AE869000-memory.dmp	upx
behavioral2/memory/2324-77-0x00007FF9B2AE0000-0x00007FF9B2AED000-memory.dmp	upx
behavioral2/memory/2324-79-0x00007FF9AE6E0000-0x00007FF9AE6F8000-memory.dmp	upx
behavioral2/memory/2324-81-0x00007FF9AE6A0000-0x00007FF9AE6CC000-memory.dmp	upx
behavioral2/memory/2324-83-0x00007FF9AE4A0000-0x00007FF9AE4BF000-memory.dmp	upx
behavioral2/memory/2324-85-0x00007FF9AD750000-0x00007FF9AD8CD000-memory.dmp	upx
behavioral2/memory/2324-87-0x00007FF9AE470000-0x00007FF9AE49E000-memory.dmp	upx
behavioral2/memory/2324-92-0x00007FF99E360000-0x00007FF99E418000-memory.dmp	upx
behavioral2/memory/2324-91-0x00007FF99E840000-0x00007FF99ECA6000-memory.dmp	upx
behavioral2/memory/2324-95-0x00007FF9B2AA0000-0x00007FF9B2AC4000-memory.dmp	upx
behavioral2/memory/2324-94-0x00007FF99DFE0000-0x00007FF99E355000-memory.dmp	upx
behavioral2/memory/2324-101-0x00007FF9B29E0000-0x00007FF9B29F0000-memory.dmp	upx
behavioral2/files/0x0007000000023455-102.dat	upx
behavioral2/memory/2324-100-0x00007FF9AE850000-0x00007FF9AE869000-memory.dmp	upx
behavioral2/memory/2324-97-0x00007FF9AE450000-0x00007FF9AE464000-memory.dmp	upx
behavioral2/memory/2324-103-0x00007FF9AE320000-0x00007FF9AE334000-memory.dmp	upx
behavioral2/memory/2324-106-0x00007FF9AE010000-0x00007FF9AE025000-memory.dmp	upx
behavioral2/files/0x000700000002345d-109.dat	upx
behavioral2/memory/2324-108-0x00007FF99DEC0000-0x00007FF99DFD8000-memory.dmp	upx
behavioral2/memory/2324-112-0x00007FF9ADFE0000-0x00007FF9AE002000-memory.dmp	upx
behavioral2/memory/2324-111-0x00007FF9AE4A0000-0x00007FF9AE4BF000-memory.dmp	upx
behavioral2/files/0x0007000000023450-114.dat	upx
behavioral2/memory/2324-105-0x00007FF9AE6E0000-0x00007FF9AE6F8000-memory.dmp	upx
behavioral2/memory/2324-116-0x00007FF9AD750000-0x00007FF9AD8CD000-memory.dmp	upx
behavioral2/memory/2324-117-0x00007FF99D650000-0x00007FF99DDF1000-memory.dmp	upx
behavioral2/memory/2324-120-0x00007FF9ADF80000-0x00007FF9ADFB8000-memory.dmp	upx
behavioral2/memory/2324-119-0x00007FF9AE470000-0x00007FF9AE49E000-memory.dmp	upx
behavioral2/memory/2324-130-0x00007FF99E360000-0x00007FF99E418000-memory.dmp	upx
behavioral2/memory/2324-173-0x00007FF99DFE0000-0x00007FF99E355000-memory.dmp	upx
behavioral2/memory/2324-176-0x00007FF9ADEE0000-0x00007FF9ADEED000-memory.dmp	upx
behavioral2/memory/2324-175-0x00007FF9AE450000-0x00007FF9AE464000-memory.dmp	upx
behavioral2/memory/2324-193-0x00007FF9B29E0000-0x00007FF9B29F0000-memory.dmp	upx
behavioral2/memory/2324-196-0x00007FF99DEC0000-0x00007FF99DFD8000-memory.dmp	upx
behavioral2/memory/2324-200-0x00007FF9ADFE0000-0x00007FF9AE002000-memory.dmp	upx
behavioral2/memory/2324-206-0x00007FF99D650000-0x00007FF99DDF1000-memory.dmp	upx
behavioral2/memory/2324-227-0x00007FF9ADEE0000-0x00007FF9ADEED000-memory.dmp	upx
behavioral2/memory/2324-215-0x00007FF9AD750000-0x00007FF9AD8CD000-memory.dmp	upx
behavioral2/memory/2324-214-0x00007FF9AE4A0000-0x00007FF9AE4BF000-memory.dmp	upx
behavioral2/memory/2324-207-0x00007FF99E840000-0x00007FF99ECA6000-memory.dmp	upx
behavioral2/memory/2324-219-0x00007FF9AE450000-0x00007FF9AE464000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4552	cmd.exe
1800	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4512	tasklist.exe
4792	tasklist.exe
4128	tasklist.exe
5048	tasklist.exe
3856	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
956	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4100	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000700000002345f-134.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3400	cmd.exe
1788	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
1652	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3588	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1820	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2620	ipconfig.exe
1652	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5076	systeminfo.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3108	schtasks.exe
860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1376	powershell.exe
1376	powershell.exe
1376	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1820	WMIC.exe
Token: SeSecurityPrivilege	1820	WMIC.exe
Token: SeTakeOwnershipPrivilege	1820	WMIC.exe
Token: SeLoadDriverPrivilege	1820	WMIC.exe
Token: SeSystemProfilePrivilege	1820	WMIC.exe
Token: SeSystemtimePrivilege	1820	WMIC.exe
Token: SeProfSingleProcessPrivilege	1820	WMIC.exe
Token: SeIncBasePriorityPrivilege	1820	WMIC.exe
Token: SeCreatePagefilePrivilege	1820	WMIC.exe
Token: SeBackupPrivilege	1820	WMIC.exe
Token: SeRestorePrivilege	1820	WMIC.exe
Token: SeShutdownPrivilege	1820	WMIC.exe
Token: SeDebugPrivilege	1820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1820	WMIC.exe
Token: SeRemoteShutdownPrivilege	1820	WMIC.exe
Token: SeUndockPrivilege	1820	WMIC.exe
Token: SeManageVolumePrivilege	1820	WMIC.exe
Token: 33	1820	WMIC.exe
Token: 34	1820	WMIC.exe
Token: 35	1820	WMIC.exe
Token: 36	1820	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4556	WMIC.exe
Token: SeSecurityPrivilege	4556	WMIC.exe
Token: SeTakeOwnershipPrivilege	4556	WMIC.exe
Token: SeLoadDriverPrivilege	4556	WMIC.exe
Token: SeSystemProfilePrivilege	4556	WMIC.exe
Token: SeSystemtimePrivilege	4556	WMIC.exe
Token: SeProfSingleProcessPrivilege	4556	WMIC.exe
Token: SeIncBasePriorityPrivilege	4556	WMIC.exe
Token: SeCreatePagefilePrivilege	4556	WMIC.exe
Token: SeBackupPrivilege	4556	WMIC.exe
Token: SeRestorePrivilege	4556	WMIC.exe
Token: SeShutdownPrivilege	4556	WMIC.exe
Token: SeDebugPrivilege	4556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4556	WMIC.exe
Token: SeRemoteShutdownPrivilege	4556	WMIC.exe
Token: SeUndockPrivilege	4556	WMIC.exe
Token: SeManageVolumePrivilege	4556	WMIC.exe
Token: 33	4556	WMIC.exe
Token: 34	4556	WMIC.exe
Token: 35	4556	WMIC.exe
Token: 36	4556	WMIC.exe
Token: SeDebugPrivilege	4512	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4556	WMIC.exe
Token: SeSecurityPrivilege	4556	WMIC.exe
Token: SeTakeOwnershipPrivilege	4556	WMIC.exe
Token: SeLoadDriverPrivilege	4556	WMIC.exe
Token: SeSystemProfilePrivilege	4556	WMIC.exe
Token: SeSystemtimePrivilege	4556	WMIC.exe
Token: SeProfSingleProcessPrivilege	4556	WMIC.exe
Token: SeIncBasePriorityPrivilege	4556	WMIC.exe
Token: SeCreatePagefilePrivilege	4556	WMIC.exe
Token: SeBackupPrivilege	4556	WMIC.exe
Token: SeRestorePrivilege	4556	WMIC.exe
Token: SeShutdownPrivilege	4556	WMIC.exe
Token: SeDebugPrivilege	4556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4556	WMIC.exe
Token: SeRemoteShutdownPrivilege	4556	WMIC.exe
Token: SeUndockPrivilege	4556	WMIC.exe
Token: SeManageVolumePrivilege	4556	WMIC.exe
Token: 33	4556	WMIC.exe
Token: 34	4556	WMIC.exe
Token: 35	4556	WMIC.exe
Token: 36	4556	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 2324	4184	e4cd49f80e7015a4dbe70ace0e353320N.exe	84
PID 4184 wrote to memory of 2324	4184	e4cd49f80e7015a4dbe70ace0e353320N.exe	84
PID 2324 wrote to memory of 2984	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	87
PID 2324 wrote to memory of 2984	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	87
PID 2324 wrote to memory of 2936	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	88
PID 2324 wrote to memory of 2936	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	88
PID 2324 wrote to memory of 3448	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	89
PID 2324 wrote to memory of 3448	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	89
PID 2984 wrote to memory of 1820	2984	cmd.exe	94
PID 2984 wrote to memory of 1820	2984	cmd.exe	94
PID 2324 wrote to memory of 3332	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	95
PID 2324 wrote to memory of 3332	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	95
PID 2324 wrote to memory of 1900	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	96
PID 2324 wrote to memory of 1900	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	96
PID 2936 wrote to memory of 4556	2936	cmd.exe	99
PID 2936 wrote to memory of 4556	2936	cmd.exe	99
PID 1900 wrote to memory of 4512	1900	cmd.exe	100
PID 1900 wrote to memory of 4512	1900	cmd.exe	100
PID 2324 wrote to memory of 4232	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	102
PID 2324 wrote to memory of 4232	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	102
PID 4232 wrote to memory of 1688	4232	cmd.exe	104
PID 4232 wrote to memory of 1688	4232	cmd.exe	104
PID 2324 wrote to memory of 3112	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	105
PID 2324 wrote to memory of 3112	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	105
PID 2324 wrote to memory of 2124	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	106
PID 2324 wrote to memory of 2124	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	106
PID 2124 wrote to memory of 4792	2124	cmd.exe	109
PID 2124 wrote to memory of 4792	2124	cmd.exe	109
PID 3112 wrote to memory of 4520	3112	cmd.exe	110
PID 3112 wrote to memory of 4520	3112	cmd.exe	110
PID 2324 wrote to memory of 956	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	111
PID 2324 wrote to memory of 956	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	111
PID 956 wrote to memory of 1004	956	cmd.exe	150
PID 956 wrote to memory of 1004	956	cmd.exe	150
PID 2324 wrote to memory of 452	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	114
PID 2324 wrote to memory of 452	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	114
PID 452 wrote to memory of 4988	452	cmd.exe	116
PID 452 wrote to memory of 4988	452	cmd.exe	116
PID 2324 wrote to memory of 408	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	117
PID 2324 wrote to memory of 408	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	117
PID 408 wrote to memory of 860	408	cmd.exe	119
PID 408 wrote to memory of 860	408	cmd.exe	119
PID 2324 wrote to memory of 4116	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	120
PID 2324 wrote to memory of 4116	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	120
PID 4116 wrote to memory of 3108	4116	cmd.exe	122
PID 4116 wrote to memory of 3108	4116	cmd.exe	122
PID 2324 wrote to memory of 2944	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	123
PID 2324 wrote to memory of 2944	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	123
PID 2324 wrote to memory of 2712	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	124
PID 2324 wrote to memory of 2712	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	124
PID 2944 wrote to memory of 4132	2944	cmd.exe	127
PID 2944 wrote to memory of 4132	2944	cmd.exe	127
PID 2712 wrote to memory of 4128	2712	cmd.exe	128
PID 2712 wrote to memory of 4128	2712	cmd.exe	128
PID 2324 wrote to memory of 3028	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	129
PID 2324 wrote to memory of 3028	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	129
PID 2324 wrote to memory of 2360	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	130
PID 2324 wrote to memory of 2360	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	130
PID 2324 wrote to memory of 3668	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	131
PID 2324 wrote to memory of 3668	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	131
PID 2324 wrote to memory of 2652	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	132
PID 2324 wrote to memory of 2652	2324	e4cd49f80e7015a4dbe70ace0e353320N.exe	132
PID 2360 wrote to memory of 2128	2360	cmd.exe	137
PID 2360 wrote to memory of 2128	2360	cmd.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1004	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e4cd49f80e7015a4dbe70ace0e353320N.exe
"C:\Users\Admin\AppData\Local\Temp\e4cd49f80e7015a4dbe70ace0e353320N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Users\Admin\AppData\Local\Temp\e4cd49f80e7015a4dbe70ace0e353320N.exe
  "C:\Users\Admin\AppData\Local\Temp\e4cd49f80e7015a4dbe70ace0e353320N.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:3332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:1688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3112
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Troll$hopUpdateService\Troll$hop.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:956
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Troll$hopUpdateService\Troll$hop.exe"
      4⤵
      Views/modifies file attributes
      PID:1004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /query /TN "Troll$hopUpdateService""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Windows\system32\schtasks.exe
      schtasks /query /TN "Troll$hopUpdateService"
      4⤵
      PID:4988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "Troll$hopUpdateService" /tr "C:\Users\Admin\AppData\Local\Troll$hopUpdateService\Troll$hop.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Troll$hopUpdateService" /tr "C:\Users\Admin\AppData\Local\Troll$hopUpdateService\Troll$hop.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc hourly /mo 1 /rl highest /tn "Troll$hopUpdateService2" /tr "C:\Users\Admin\AppData\Local\Troll$hopUpdateService\Troll$hop.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4116
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc hourly /mo 1 /rl highest /tn "Troll$hopUpdateService2" /tr "C:\Users\Admin\AppData\Local\Troll$hopUpdateService\Troll$hop.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:4132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:3028
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:3160
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:2128
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3668
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:2652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:1376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3400
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:4552
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5076
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:2388
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:3588
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:452
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:3208
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:4984
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:3880
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:548
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:4908
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:3640
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:2532
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:4980
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:3916
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:2540
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:2752
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:2668
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:3856
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2620
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:2168
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:1800
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:1652
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:4100
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4232
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2776
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3772
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI41842\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\_asyncio.pyd

Filesize
35KB

MD5
f8158c5eb62e2320ec791768dfa2abfe

SHA1
a723c331ad055fa6948b1cbe6165abfe0f269da3

SHA256
811e0548d499ac58721a75c4d35e5e1ff4503e17541c4f1f3d53ac9b0aa83d46

SHA512
ff34a3d1f0086c35bd1717d37fbf20e03a9bfff373e034887ba54238fbcb0611485488f6290007b200265bed89b0fec26fd059ab365e8079695f0de4e5176083

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\_bz2.pyd

Filesize
47KB

MD5
3367c5c2745c3a84247dab07fb969d64

SHA1
a9fd64d64f82cc1fa479eea27a8ad74284f455b7

SHA256
51532c3fa8409340413425830fe308c7393adbca0a2f13a694f6ee74d4fc0f39

SHA512
2208fb9d300f190b6aecb610485a29d7005d96d9001150c0d0cdc95f294860c631ca78a8163a9cabb7a3d1d5fef1e867056a1a8d0a761301049ffab4fb4ec6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
e3bcdf92f94fac36d74ca4d57fc651ed

SHA1
519264bc498e253a62f540d8f106343c6772ef68

SHA256
8fa7db27750c4351d403271dc525a411840844cc913415eca2b1866c5e9dbd7f

SHA512
520eb876eb2a090d126780f0e8457ebb948337499db815a23dc5231d2ae80aef2f9ada14f13aa347e8aec5385a1ed85cdc8b3162ed4ca5976b77228f97a85806

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\_ctypes.pyd

Filesize
58KB

MD5
cf0a864604feaf122e4bd593d321a0b5

SHA1
f599f9ee5297fc9a01ab17fa628e14f6468104c1

SHA256
9d96c349f22c8d7e28d05f17264eb6115e15afd8e2518b3338f03af0f6083beb

SHA512
80efdcf72c0c1fbc1c5e2e0bbd6e3502f45946dec7e8daf430d42872a39e0f9f4d1c61225e74a641e7de9081e367e27d19e9ed48c3347f48fe6dc3456f7b4306

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\_decimal.pyd

Filesize
105KB

MD5
64feb9d3764cceff0c6e0f7544f90d18

SHA1
c27f7c4e407309536ce7605d371fcd3cfa92b47a

SHA256
d745e196de595f8ddc4236d889264d1b8b3d5aad0c0b7f2361d07b471072681e

SHA512
015dacfc6f1545d505e0a897ad8afd325eeba2f9912475a3accf9b6c450c662a3111c1aef25747107244c7b41e81d867e0e9853a757b248bdc2f529045c3c83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\_hashlib.pyd

Filesize
35KB

MD5
0533bc5b33201e2784315f22ac3b9069

SHA1
ac7ab28e03359ca1b0fa876e64fefea31d697fea

SHA256
dc34f1098494e84ae3126e63378e23e1c297ee6797dbc14cc792c7b1e6df22ca

SHA512
9342e19c2429558e689ac1abfc1b0c18fbfe465080d23d61985d097a187ed0f395652053957108be59243e4fd7c841942f175ca5b4959558219744909a96434c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\_lzma.pyd

Filesize
85KB

MD5
d2dc28d887589d530361a4f6b7571ab9

SHA1
61676925268e04e8616425fea856ccaae18706ba

SHA256
9e6c05e69fdc43e94c380bbc2f0da0b4c135fd3b3ddb6f08d9daf811c54db21b

SHA512
f24ed31691bc70d4e633a9dd39ba68aa408e7a8136126a407b00dd9cdbea91af7d53e887a8c51a900532ab7b1ff76e33b57a7edfc763c6e7af2bbf8da8243f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\_multiprocessing.pyd

Filesize
26KB

MD5
7f43c9591bbd4bfed4670d442639dff2

SHA1
fef0349ee796deb153f27328c45e09b9876be8a0

SHA256
dfdafdce8ccfcd2dc9e9b8b61ac109a54d0008325b4435a3d3269e93615a386f

SHA512
4559551e33d7e24eb2276d97f8a011fba2a7c41a23ed13c0d3c7a462fcb4aa351c5a2c9b54e89eed55a422b0bd1df016b0626b9445c6eaf30c29f08c10925a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\_overlapped.pyd

Filesize
31KB

MD5
12a610149e1f4a38851a94cda5f989ef

SHA1
265e022d6e710ba653fb76e72d18c9ee558f87ca

SHA256
25f08358a371b7e74fe2ae6ea66e91fef45d48ef05e51ef68fffbc573c99748e

SHA512
46e5a0a49feeb545f7e8b8a18075db46365b19ff07cf35788c2b4bb7bdcc9408517743a9d35de9a7d18b9fe00b21d3fcdd6dd7dac1c15c26eae09f3489a030f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\_queue.pyd

Filesize
25KB

MD5
3c9b6b026dc950ef6632fc4fbc2b7205

SHA1
705cfb2e759e9ece067fe436a0d48ca21a161585

SHA256
ed2295c3c8a7f8d77d60f80dfec8250db3d08b31cb96d2f262255a95673c3050

SHA512
f4abdf12fc6e7174dab9f999d41e0037d5ddc3e83fd6cad7477b140a9d9678f5532beb10e38e51b6338b047d5831199ef18017ff01fe9e2f2339d68e95db967c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\_socket.pyd

Filesize
42KB

MD5
3e3fd9ff420c702c8e9ef725b1c59a1e

SHA1
c946c1db987dfa45b9bc980f46d29fce14e0b4cd

SHA256
f7b7a3c0b4c5d4448f241e767bb1e5ac457e2a0a3493b158b36f098dced53642

SHA512
fd1f82e400aeba9a2ebc17378c9f97bb510549c7765c73f203d573e7bc1d81dc5a792668e5bce24e4e3c0afc6c12cdb29f075d8d7bab6d2b7282bf2aad6def55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\_sqlite3.pyd

Filesize
49KB

MD5
f051889e8bf1be3aaf3bdf603f705b62

SHA1
509fd7b5fae7c6b86867d69ff5f9cfa2033a6fd3

SHA256
e4616fcf71f115492c5fa23add3d86d331a13303e0baf3e60cfc22688968cc6c

SHA512
618b17021d7f11876df2d534cb20ad20e9c5bef945a0dd00a7746c9edf90346ee9faf72df0ba7f019ee70622593b53d1f3dc90b8f4347763cffc71205bcd322f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\_ssl.pyd

Filesize
62KB

MD5
d0170485d2083c4691dd6bd3c4395c60

SHA1
13fe9350347d8bc372b45f9847d840f825196e00

SHA256
cabe1346c9e5cbb3262633c31b85f88aed382937b9c89bd91d3c903393070c76

SHA512
78005140bc4691c5e9707ab7a0c1cecd40ef0fadd51cc2d9354a8742cc217bf64fde3817c87c4fe5e858590bd2c22209bfff11e75d2c45889eadd270020086e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\_uuid.pyd

Filesize
24KB

MD5
ecf3d9de103ba77730ed021fe69a2804

SHA1
ce7eae927712fda0c70267f7db6bcb8406d83815

SHA256
7cf37a10023ebf6705963822a46f238395b1fbe8cb898899b3645c92d61b48ea

SHA512
c2bf0e2ba6080e03eca22d74ea7022fb9581036ce46055ea244773d26d8e5b07caf6ed2c44c479fda317000a9fa08ca6913c23fa4f54b08ee6d3427b9603dfba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\attrs-23.2.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\attrs-23.2.0.dist-info\METADATA

Filesize
9KB

MD5
e32d387a89f0114b8f9b9a809905299d

SHA1
a055c9fbf5416c83d5150d49ca16c58762b8b84a

SHA256
5b0bc6ece1f22a310fa72154642098b759f413f09ca9d45bedb96218475c9be0

SHA512
6eee3e19af46a79e2110678f8d3d15ea4b2eb1355d0fc9581da2c8e91d28926a2771394ea447e15cbc311a9dd9de2a20e2ac0e0abf9db6d4d51982199a12e881

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\attrs-23.2.0.dist-info\RECORD

Filesize
3KB

MD5
6c52aedcea3e17f16fecf785b40569bc

SHA1
542af34619af0f8ffe4d82ae97399aa81dee4b3c

SHA256
18df33cd1686d0a82caf42c65f8070d8af90d7b77452d7b3926aa69ddd0ad028

SHA512
661cb60c08597511ebcc0c2b7472203d67d725d2a23eba544743576f70612d86a30bd2a20bd3cbeb8c45cf5435a0c205d036ca3b4fdb8a1bf5476c939e0868a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\attrs-23.2.0.dist-info\WHEEL

Filesize
87B

MD5
c58f7d318baa542f6bfd220f837ab63f

SHA1
f655fc3c0eb1bf12629c5750b2892bd896c3e7d9

SHA256
99161210bdc887a8396bf095308730885fffd007b8fe02d8874d5814dc22ab59

SHA512
3da6980a39c368ab7f7527fcd5fcdaa9d321060174baae163bf73f8052a2ac1a73f476c3882855965dfc2cb13c7c3ec1a012882201389dac887f9be59540c80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\attrs-23.2.0.dist-info\licenses\LICENSE

Filesize
1KB

MD5
5e55731824cf9205cfabeab9a0600887

SHA1
243e9dd038d3d68c67d42c0c4ba80622c2a56246

SHA256
882115c95dfc2af1eeb6714f8ec6d5cbcabf667caff8729f42420da63f714e9f

SHA512
21b242bf6dcbafa16336d77a40e69685d7e64a43cc30e13e484c72a93cd4496a7276e18137dc601b6a8c3c193cb775db89853ecc6d6eb2956deee36826d5ebfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\base_library.zip

Filesize
859KB

MD5
483d9675ef53a13327e7dfc7d09f23fe

SHA1
2378f1db6292cd8dc4ad95763a42ad49aeb11337

SHA256
70c28ec0770edefcef46fa27aaa08ba8dc22a31acd6f84cb0b99257dca1b629e

SHA512
f905eb1817d7d4cc1f65e3a5a01bade761bca15c4a24af7097bc8f3f2b43b00e000d6ea23cd054c391d3fdc2f1114f2af43c8bb6d97c1a0ce747763260a864f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\cryptography-43.0.0.dist-info\METADATA

Filesize
5KB

MD5
1682e8458a9f3565fd0941626cbe4302

SHA1
e5937d80b6ba976905491c9dbd8e16d0226795b5

SHA256
24f9838874233de69f9de9aebd95359e499498508d962b605d90186288d7d8c0

SHA512
2dc669a07dd263c967d637ac2e76ed3788830d96b91e256e16125997c4e3a68d268dc220c056bbfbc3b5e7def7d063b776d9d1da303a840ff203dae668d7a366

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.1MB

MD5
a126c6db75c5e2c29e53bb1284c9b4b1

SHA1
e1b5b4f3105351ff02437d87212b9812457d4f88

SHA256
4332ba003f33faf876c8767550e129195122960d32c94003dcfef17af8292c54

SHA512
b5675d6dc39acc900f374b60186cf8c3442657a6f5a160d9e592dcb9549fd092a99b882da183712f85570017888bc43c2de9ec41aaf5e94ccd445fac977577f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\libcrypto-1_1.dll

Filesize
1.1MB

MD5
46edee4fdfb9b727f4382e3483082253

SHA1
08b89604e013e90057f2aad73527d564f745695e

SHA256
574e07c1a0587b8edc5d91a91f6050fd11f28f6f70e6b589451b0657d189e67b

SHA512
63bed16feea3a4ad980ff4c1f84cfb4dbd98a43e9d212f57c6dfd73e12af9ff317935a4e59ab4de5749ce5360fedff79d22c14df71b0ae85735fb1b715c435a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\libffi-7.dll

Filesize
23KB

MD5
4e261cbb8247260ea91860986110f805

SHA1
1563d67c2aabcb5e00e25ef293456c6481a2adc3

SHA256
ddfd0755e011ea0df26d77cf3628e2cc59653aee02bf241b54b6b08561520453

SHA512
076cdc8759f9cbbf7f8dc7b1eaba3c51f6c40ae6043b1fb55aa2fb83f81e86933d0f885a61d83300173b9bd7c589ff126e2a5d858a3f4036390d02eb1e73d229

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\libssl-1_1.dll

Filesize
203KB

MD5
6e53647fe8e3a58b0da311a6d1b6b682

SHA1
f75631d29f9d869b38c36b6854da7ca0199e03ac

SHA256
9ec69488f5d80b96a349552caae9a362c1938b89f6584a0f36060de9decd7f82

SHA512
4c01494f27588cd9840ae4b83f14185b846ace4a97cd2d6c054fd34194963d19213ead934c43a19fb9b40166bedea656b5492f440fc7921071bf2f6c79a0708f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\multidict\_multidict.cp310-win_amd64.pyd

Filesize
20KB

MD5
357e56dd0b796f19465d7250af014c86

SHA1
1649bef3abf1385ba7b2d6b5e5b704fc8689228b

SHA256
6bf71c0d5dafde1b115d0757da8b4a28d806dff1f348218ac124bd25940550c5

SHA512
a4135b9cf6d6397e2672c06f0d7c31b3ba9129ea62fa24d16fab26864c29bb0bfa3208d9daad2a851b74deb6861d9a33a16d3f2f78484820ba67759c8174293b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\pyexpat.pyd

Filesize
87KB

MD5
ba988567176849596e0b9e3b821c3fe8

SHA1
ded518f93b75c36d3a663f9dd92544e8be64eb9c

SHA256
e3d4364e05938acbd5abc3c1f3acd4790c7c5e920fdc4c0a14da31ac989b68fd

SHA512
af5722b9e97987c199b93a6e99f3d045b087d02a3ed344f8db78dfa60de032fa5992608d0a5bd36584a1bc273520d38aa6a5d78af6288ca013ac59af691e4ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\python3.DLL

Filesize
64KB

MD5
24f4d5a96cd4110744766ea2da1b8ffa

SHA1
b12a2205d3f70f5c636418811ab2f8431247da15

SHA256
73b0f3952be222ce676672603ae3848ee6e8e479782bd06745116712a4834c53

SHA512
bd2f27441fe5c25c30bab22c967ef32306bcea2f6be6f4a5da8bbb5b54d3d5f59da1ffcb55172d2413fe0235dd7702d734654956e142e9a0810160b8c16225f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\python310.dll

Filesize
1.4MB

MD5
9600309061410d746dfa3909b102b7f3

SHA1
120ca4a2addaff66906ea3c593b0449257e66b3a

SHA256
7a0c24dc61bb967acba7495da14fcd779880e0813ad5761fb2b0b30e56eb3c3b

SHA512
ab6abff687ef417eca51b67f5d500e863c23485a442c51068389cb461d47053c82205e69470d06d12e8bf0b32e445612af1ee49977cdc8e34509ed467a34820c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\select.pyd

Filesize
25KB

MD5
d2c8cf5eaf2b477c42d35fa966414569

SHA1
e9e82a71b6fe205dd3469eb50627a1fea8dac53f

SHA256
f4ff446fe0bf9be633d8b11436619a279468ba1edd32a95c00d8591ee1cf825c

SHA512
f17e44a7087bd4ff1ddb4a3f7c8cc8980d1e52aabd3dd5d814f1a52b7adebd5100c84a0db6e9fb4547b2b91a39524c2ae6aaa5dbf6fe6b2e9ea2556e73395b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\sqlite3.dll

Filesize
622KB

MD5
c4f451ffc4f1b68ba505930c24ccfa9a

SHA1
7043c8531ba521848e05d078ac62b5a136ab3618

SHA256
9cb4dab896c26d408d7191c39395b9c745b94eb38bf21757955194c5c3865d52

SHA512
c55e1069216ed291741f7995812c5c463b560f3cd36f882be71c20dca59122395b8bc93a8f984a0f3b4ff7d4caaa576804643f96ade4e6f9c0c9ffcbdbc3e844

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\unicodedata.pyd

Filesize
289KB

MD5
5617f9097592ce9e6bc483dc4695849f

SHA1
1c2787e5560a10da8a28e0a4719828854a0b24ee

SHA256
f846cd2c56d8470e099919326a785be4a93cb3aaf73cfd84ff334a0b94abc52b

SHA512
42aaa8d11b5baa87e5f39894eaeb493a9acdd4519b47f8b278ec3f82b06a53a6b3219f8bd759d1dbdd93369533a43cd14a4faeb220ffc5033c3b70c4759c128f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41842\yarl\_quoting_c.cp310-win_amd64.pyd

Filesize
40KB

MD5
d6151d31b23571bac472ba3b02b3cc25

SHA1
e6dfbf00599f86ed9a3b2f08acacdc054a98f5be

SHA256
0958f0e493271fd0be7e386ad1eb116e150d2569a78de7d92837c29c416d9b76

SHA512
2392c1ae1755c648ee8c69a22a8f39517fd9e866328c7b540d8c5b615e0f1b769d21d4e0f43c6c5720555471c04424c91a6af2c3cfcbf0db7ca3b1703d313f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_keghwn0g.wb5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Troll$hopUpdateService\Troll$hop.exe

Filesize
9.5MB

MD5
e4cd49f80e7015a4dbe70ace0e353320

SHA1
46b4d254c1e544ef4d1aae69e863a2aad0eb7530

SHA256
d40fe4d7db58f613c6c0ff92fdd6f4af4266c80beaf395fc53b6b18978ae357e

SHA512
f14a33ba03f8a25384c3b340cf7782b5778646162ffd031039fcdf08bc4b48e4d26b78992f733a7de1c32b641dfd8ace12b738088f0282aa454d9cc72ccd1822

Download Submit
memory/1376-179-0x0000020444820000-0x0000020444842000-memory.dmp

Filesize
136KB

Download
memory/2324-103-0x00007FF9AE320000-0x00007FF9AE334000-memory.dmp

Filesize
80KB

Download
memory/2324-83-0x00007FF9AE4A0000-0x00007FF9AE4BF000-memory.dmp

Filesize
124KB

Download
memory/2324-101-0x00007FF9B29E0000-0x00007FF9B29F0000-memory.dmp

Filesize
64KB

Download
memory/2324-95-0x00007FF9B2AA0000-0x00007FF9B2AC4000-memory.dmp

Filesize
144KB

Download
memory/2324-100-0x00007FF9AE850000-0x00007FF9AE869000-memory.dmp

Filesize
100KB

Download
memory/2324-97-0x00007FF9AE450000-0x00007FF9AE464000-memory.dmp

Filesize
80KB

Download
memory/2324-91-0x00007FF99E840000-0x00007FF99ECA6000-memory.dmp

Filesize
4.4MB

Download
memory/2324-106-0x00007FF9AE010000-0x00007FF9AE025000-memory.dmp

Filesize
84KB

Download
memory/2324-92-0x00007FF99E360000-0x00007FF99E418000-memory.dmp

Filesize
736KB

Download
memory/2324-108-0x00007FF99DEC0000-0x00007FF99DFD8000-memory.dmp

Filesize
1.1MB

Download
memory/2324-112-0x00007FF9ADFE0000-0x00007FF9AE002000-memory.dmp

Filesize
136KB

Download
memory/2324-111-0x00007FF9AE4A0000-0x00007FF9AE4BF000-memory.dmp

Filesize
124KB

Download
memory/2324-93-0x00000227BE060000-0x00000227BE3D5000-memory.dmp

Filesize
3.5MB

Download
memory/2324-105-0x00007FF9AE6E0000-0x00007FF9AE6F8000-memory.dmp

Filesize
96KB

Download
memory/2324-116-0x00007FF9AD750000-0x00007FF9AD8CD000-memory.dmp

Filesize
1.5MB

Download
memory/2324-117-0x00007FF99D650000-0x00007FF99DDF1000-memory.dmp

Filesize
7.6MB

Download
memory/2324-120-0x00007FF9ADF80000-0x00007FF9ADFB8000-memory.dmp

Filesize
224KB

Download
memory/2324-119-0x00007FF9AE470000-0x00007FF9AE49E000-memory.dmp

Filesize
184KB

Download
memory/2324-130-0x00007FF99E360000-0x00007FF99E418000-memory.dmp

Filesize
736KB

Download
memory/2324-131-0x00000227BE060000-0x00000227BE3D5000-memory.dmp

Filesize
3.5MB

Download
memory/2324-87-0x00007FF9AE470000-0x00007FF9AE49E000-memory.dmp

Filesize
184KB

Download
memory/2324-173-0x00007FF99DFE0000-0x00007FF99E355000-memory.dmp

Filesize
3.5MB

Download
memory/2324-176-0x00007FF9ADEE0000-0x00007FF9ADEED000-memory.dmp

Filesize
52KB

Download
memory/2324-175-0x00007FF9AE450000-0x00007FF9AE464000-memory.dmp

Filesize
80KB

Download
memory/2324-85-0x00007FF9AD750000-0x00007FF9AD8CD000-memory.dmp

Filesize
1.5MB

Download
memory/2324-94-0x00007FF99DFE0000-0x00007FF99E355000-memory.dmp

Filesize
3.5MB

Download
memory/2324-193-0x00007FF9B29E0000-0x00007FF9B29F0000-memory.dmp

Filesize
64KB

Download
memory/2324-81-0x00007FF9AE6A0000-0x00007FF9AE6CC000-memory.dmp

Filesize
176KB

Download
memory/2324-196-0x00007FF99DEC0000-0x00007FF99DFD8000-memory.dmp

Filesize
1.1MB

Download
memory/2324-200-0x00007FF9ADFE0000-0x00007FF9AE002000-memory.dmp

Filesize
136KB

Download
memory/2324-206-0x00007FF99D650000-0x00007FF99DDF1000-memory.dmp

Filesize
7.6MB

Download
memory/2324-227-0x00007FF9ADEE0000-0x00007FF9ADEED000-memory.dmp

Filesize
52KB

Download
memory/2324-215-0x00007FF9AD750000-0x00007FF9AD8CD000-memory.dmp

Filesize
1.5MB

Download
memory/2324-214-0x00007FF9AE4A0000-0x00007FF9AE4BF000-memory.dmp

Filesize
124KB

Download
memory/2324-207-0x00007FF99E840000-0x00007FF99ECA6000-memory.dmp

Filesize
4.4MB

Download
memory/2324-219-0x00007FF9AE450000-0x00007FF9AE464000-memory.dmp

Filesize
80KB

Download
memory/2324-208-0x00007FF9B2AA0000-0x00007FF9B2AC4000-memory.dmp

Filesize
144KB

Download
memory/2324-79-0x00007FF9AE6E0000-0x00007FF9AE6F8000-memory.dmp

Filesize
96KB

Download
memory/2324-77-0x00007FF9B2AE0000-0x00007FF9B2AED000-memory.dmp

Filesize
52KB

Download
memory/2324-75-0x00007FF9AE850000-0x00007FF9AE869000-memory.dmp

Filesize
100KB

Download
memory/2324-73-0x00007FF9B2AF0000-0x00007FF9B2AFF000-memory.dmp

Filesize
60KB

Download
memory/2324-52-0x00007FF9B2AA0000-0x00007FF9B2AC4000-memory.dmp

Filesize
144KB

Download
memory/2324-44-0x00007FF99E840000-0x00007FF99ECA6000-memory.dmp

Filesize
4.4MB

Download
memory/2324-237-0x00007FF99E840000-0x00007FF99ECA6000-memory.dmp

Filesize
4.4MB

Download
memory/2324-254-0x00007FF9ADFE0000-0x00007FF9AE002000-memory.dmp

Filesize
136KB

Download
memory/2324-249-0x00007FF9AE450000-0x00007FF9AE464000-memory.dmp

Filesize
80KB

Download
memory/2324-248-0x00007FF99DFE0000-0x00007FF99E355000-memory.dmp

Filesize
3.5MB

Download
memory/2324-247-0x00007FF99E360000-0x00007FF99E418000-memory.dmp

Filesize
736KB

Download
memory/2324-246-0x00007FF9AE470000-0x00007FF9AE49E000-memory.dmp

Filesize
184KB

Download
memory/2324-258-0x00007FF99E840000-0x00007FF99ECA6000-memory.dmp

Filesize
4.4MB

Download