Analysis

  • max time kernel
    8s
  • max time network
    7s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-02-2024 14:56

General

  • Target

    DeltaX.exe

  • Size

    13.3MB

  • MD5

    a0d656f1bd9867e9f387c37a8fe3ecf4

  • SHA1

    c2e70f63757ad80f2f796ad7c60579ce5ead712f

  • SHA256

    84f6b85e0e19306dcf3be51ccad790a4ceb8541f1c51a606df7464b7097c35a9

  • SHA512

    b614a16d83dccc51ee7f36b19e298f2e0f58319f8de72a19e30766126d04fad9701f9c47efed00d1f27117b9e833c53c28e3bf3f4121040ab9e5a82968a0bd4b

  • SSDEEP

    393216:sWzvW/5NIHHZhcW7CuvEPHM9LhqvPs3jEg/:sCvW/5NIHHRE09Lhqc3jE

Malware Config

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects Pyinstaller 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DeltaX.exe
    "C:\Users\Admin\AppData\Local\Temp\DeltaX.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4976
    • C:\Users\Admin\AppData\Local\Temp\Lol.exe
      "C:\Users\Admin\AppData\Local\Temp\Lol.exe"
      2⤵
      • Executes dropped EXE
      PID:3252
      • C:\Users\Admin\AppData\Roaming\server.exe
        "C:\Users\Admin\AppData\Roaming\server.exe"
        3⤵
          PID:336
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
            4⤵
            • Modifies Windows Firewall
            PID:2240
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
            4⤵
            • Modifies Windows Firewall
            PID:3068
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
            4⤵
            • Modifies Windows Firewall
            PID:4492
      • C:\Users\Admin\AppData\Local\Temp\creal.exe
        "C:\Users\Admin\AppData\Local\Temp\creal.exe"
        2⤵
        • Executes dropped EXE
        PID:828
        • C:\Users\Admin\AppData\Local\Temp\creal.exe
          "C:\Users\Admin\AppData\Local\Temp\creal.exe"
          3⤵
            PID:2512
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c "curl http://api.ipify.org/ --ssl-no-revoke"
              4⤵
                PID:4404
                • C:\Windows\system32\curl.exe
                  curl http://api.ipify.org/ --ssl-no-revoke
                  5⤵
                    PID:2376
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c "wmic bios get smbiosbiosversion"
                  4⤵
                    PID:652
                    • C:\Windows\System32\Wbem\WMIC.exe
                      wmic bios get smbiosbiosversion
                      5⤵
                        PID:4872
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c "wmic MemoryChip get /format:list | find /i "Speed""
                      4⤵
                        PID:3076
                        • C:\Windows\System32\Wbem\WMIC.exe
                          wmic MemoryChip get /format:list
                          5⤵
                            PID:740
                          • C:\Windows\system32\find.exe
                            find /i "Speed"
                            5⤵
                              PID:4920
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c "powershell wininit.exe"
                            4⤵
                              PID:3156
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                powershell wininit.exe
                                5⤵
                                  PID:2036
                                  • C:\Windows\system32\wininit.exe
                                    "C:\Windows\system32\wininit.exe"
                                    6⤵
                                      PID:3288
                          • C:\Windows\system32\taskmgr.exe
                            "C:\Windows\system32\taskmgr.exe" /4
                            1⤵
                              PID:3904

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Temp\Lol.exe

                              Filesize

                              93KB

                              MD5

                              9e4d9908815be3e2244c857863ec309a

                              SHA1

                              e0dc0c88151069986c7104d12fa3223ad1fe07bb

                              SHA256

                              a976cc4bb39183a99f5341cda18b789d1c345eaf37221c71291b823eb457c6be

                              SHA512

                              795bebd046b5c147fed8726a7f772d2e5900be31e1f1a81d4052619d4325e1f51445193319ad93e37d17c70d4ac0ff01d2ebbe6ac2d85c4feb91dbfe992d8b9b

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\VCRUNTIME140.dll

                              Filesize

                              116KB

                              MD5

                              be8dbe2dc77ebe7f88f910c61aec691a

                              SHA1

                              a19f08bb2b1c1de5bb61daf9f2304531321e0e40

                              SHA256

                              4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

                              SHA512

                              0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\VCRUNTIME140_1.dll

                              Filesize

                              48KB

                              MD5

                              f8dfa78045620cf8a732e67d1b1eb53d

                              SHA1

                              ff9a604d8c99405bfdbbf4295825d3fcbc792704

                              SHA256

                              a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

                              SHA512

                              ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\_asyncio.pyd

                              Filesize

                              69KB

                              MD5

                              209cbcb4e1a16aa39466a6119322343c

                              SHA1

                              cdcce6b64ebf11fecff739cbc57e7a98d6620801

                              SHA256

                              f7069734d5174f54e89b88d717133bff6a41b01e57f79957ab3f02daa583f9e2

                              SHA512

                              5bbc4ede01729e628260cf39df5809624eae795fd7d51a1ed770ed54663955674593a97b78f66dbf6ae268186273840806ed06d6f7877444d32fdca031a9f0da

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\_bz2.pyd

                              Filesize

                              82KB

                              MD5

                              59d60a559c23202beb622021af29e8a9

                              SHA1

                              a405f23916833f1b882f37bdbba2dd799f93ea32

                              SHA256

                              706d4a0c26dd454538926cbb2ff6c64257c3d9bd48c956f7cabd6def36ffd13e

                              SHA512

                              2f60e79603cf456b2a14b8254cec75ce8be0a28d55a874d4fb23d92d63bbe781ed823ab0f4d13a23dc60c4df505cbf1dbe1a0a2049b02e4bdec8d374898002b1

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\_cffi_backend.cp312-win_amd64.pyd

                              Filesize

                              178KB

                              MD5

                              0572b13646141d0b1a5718e35549577c

                              SHA1

                              eeb40363c1f456c1c612d3c7e4923210eae4cdf7

                              SHA256

                              d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7

                              SHA512

                              67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\_ctypes.pyd

                              Filesize

                              122KB

                              MD5

                              2a834c3738742d45c0a06d40221cc588

                              SHA1

                              606705a593631d6767467fb38f9300d7cd04ab3e

                              SHA256

                              f20dfa748b878751ea1c4fe77a230d65212720652b99c4e5577bce461bbd9089

                              SHA512

                              924235a506ce4d635fa7c2b34e5d8e77eff73f963e58e29c6ef89db157bf7bab587678bb2120d09da70594926d82d87dbaa5d247e861e331cf591d45ea19a117

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\_decimal.pyd

                              Filesize

                              246KB

                              MD5

                              f930b7550574446a015bc602d59b0948

                              SHA1

                              4ee6ff8019c6c540525bdd2790fc76385cdd6186

                              SHA256

                              3b9ad1d2bc9ec03d37da86135853dac73b3fe851b164fe52265564a81eb8c544

                              SHA512

                              10b864975945d6504433554f9ff11b47218caa00f809c6bce00f9e4089b862190a4219f659697a4ba5e5c21edbe1d8d325950921e09371acc4410469bd9189ee

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\_hashlib.pyd

                              Filesize

                              64KB

                              MD5

                              b0262bd89a59a3699bfa75c4dcc3ee06

                              SHA1

                              eb658849c646a26572dea7f6bfc042cb62fb49dc

                              SHA256

                              4adfbbd6366d9b55d902fc54d2b42e7c8c989a83016ed707bd7a302fc3fc7b67

                              SHA512

                              2e4b214de3b306e3a16124af434ff8f5ab832aa3eeb1aa0aa9b49b0ada0928dcbb05c57909292fbe3b01126f4cd3fe0dac9cc15eaea5f3844d6e267865b9f7b1

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\_lzma.pyd

                              Filesize

                              128KB

                              MD5

                              8e37104c43036438941309b575fd3f5e

                              SHA1

                              a9480743462956ab8d75768dada5ab68f9814839

                              SHA256

                              0051b6d2d3cc1a4bfa8f829b47b4fb53be62ef7e3ce29aa67ae959743faca27d

                              SHA512

                              5ec7a2c31d90d4d3cb7c0cd230fa3ebbc5f63e7603316c9e59a66450f374279e8111b3b0512f5e456a72fe6c9d12de935a173708bcc9b0df76e5813481a83af5

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\_lzma.pyd

                              Filesize

                              155KB

                              MD5

                              b71dbe0f137ffbda6c3a89d5bcbf1017

                              SHA1

                              a2e2bdc40fdb83cc625c5b5e8a336ca3f0c29c5f

                              SHA256

                              6216173194b29875e84963cd4dc4752f7ca9493f5b1fd7e4130ca0e411c8ac6a

                              SHA512

                              9a5c7b1e25d8e1b5738f01aedfd468c1837f1ac8dd4a5b1d24ce86dcae0db1c5b20f2ff4280960bc523aee70b71db54fd515047cdaf10d21a8bec3ebd6663358

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\_multiprocessing.pyd

                              Filesize

                              34KB

                              MD5

                              4ccbd87d76af221f24221530f5f035d1

                              SHA1

                              d02b989aaac7657e8b3a70a6ee7758a0b258851b

                              SHA256

                              c7bbcfe2511fd1b71b916a22ad6537d60948ffa7bde207fefabee84ef53cafb5

                              SHA512

                              34d808adac96a66ca434d209f2f151a9640b359b8419dc51ba24477e485685af10c4596a398a85269e8f03f0fc533645907d7d854733750a35bf6c691de37799

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\_overlapped.pyd

                              Filesize

                              54KB

                              MD5

                              61193e813a61a545e2d366439c1ee22a

                              SHA1

                              f404447b0d9bff49a7431c41653633c501986d60

                              SHA256

                              c21b50a7bf9dbe1a0768f5030cac378d58705a9fe1f08d953129332beb0fbefc

                              SHA512

                              747e4d5ea1bdf8c1e808579498834e1c24641d434546bffdfcf326e0de8d5814504623a3d3729168b0098824c2b8929afc339674b0d923388b9dac66f5d9d996

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\_queue.pyd

                              Filesize

                              31KB

                              MD5

                              f3eca4f0b2c6c17ace348e06042981a4

                              SHA1

                              eb694dda8ff2fe4ccae876dc0515a8efec40e20e

                              SHA256

                              fb57ee6adf6e7b11451b6920ddd2fb943dcd9561c9eae64fdda27c7ed0bc1b04

                              SHA512

                              604593460666045ca48f63d4b14fa250f9c4b9e5c7e228cc9202e7692c125aacb0018b89faa562a4197692a9bc3d2382f9e085b305272ee0a39264a2a0f53b75

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\_socket.pyd

                              Filesize

                              81KB

                              MD5

                              9c6283cc17f9d86106b706ec4ea77356

                              SHA1

                              af4f2f52ce6122f340e5ea1f021f98b1ffd6d5b6

                              SHA256

                              5cc62aac52edf87916deb4ebbad9abb58a6a3565b32e7544f672aca305c38027

                              SHA512

                              11fd6f570dd78f8ff00be645e47472a96daffa3253e8bd29183bccde3f0746f7e436a106e9a68c57cc05b80a112365441d06cc719d51c906703b428a32c93124

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\_sqlite3.pyd

                              Filesize

                              121KB

                              MD5

                              506b13dd3d5892b16857e3e3b8a95afb

                              SHA1

                              42e654b36f1c79000084599d49b862e4e23d75ff

                              SHA256

                              04f645a32b0c58760cc6c71d09224fe90e50409ef5c81d69c85d151dfe65aff9

                              SHA512

                              a94f0e9f2212e0b89eb0b5c64598b18af71b59e1297f0f6475fa4674ae56780b1e586b5eb952c8c9febad38c28afd784273bbf56645db2c405afae6f472fb65c

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\_ssl.pyd

                              Filesize

                              15KB

                              MD5

                              408ef598f2e1a68b5af03e95f4c41207

                              SHA1

                              6d690f85e1a3d12b589cba5b4f3d574c11f61728

                              SHA256

                              1ab01307cf3f79c957acb790f325c87868f7389b33c8ea1eb238060d14610e30

                              SHA512

                              6495f08021bafe82109e4bed9c8ea5fe1615785586be03e0150943f6004a3e361c4349a0d2af4328b58bed29e4bc92b7729e2fa6447267678ccb8d755eefbdbe

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\_ssl.pyd

                              Filesize

                              173KB

                              MD5

                              ddb21bd1acde4264754c49842de7ebc9

                              SHA1

                              80252d0e35568e68ded68242d76f2a5d7e00001e

                              SHA256

                              72bb15cd8c14ba008a52d23cdcfc851a9a4bde13deee302a5667c8ad60f94a57

                              SHA512

                              464520ecd1587f5cede6219faac2c903ee41d0e920bf3c9c270a544b040169dcd17a4e27f6826f480d4021077ab39a6cbbd35ebb3d71672ebb412023bc9e182a

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\_wmi.pyd

                              Filesize

                              35KB

                              MD5

                              c1654ebebfeeda425eade8b77ca96de5

                              SHA1

                              a4a150f1c810077b6e762f689c657227cc4fd257

                              SHA256

                              aa1443a715fbf84a84f39bd89707271fc11a77b597d7324ce86fc5cfa56a63a9

                              SHA512

                              21705b991e75efd5e59b8431a3b19ae5fcc38a3e7f137a9d52acd24e7f67d61758e48abc1c9c0d4314fa02010a1886c15ead5bca8dca1b1d4ccbfc3c589d342e

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\base_library.zip

                              Filesize

                              256KB

                              MD5

                              c42abdd15ffe6aef8c75b6f01dfdd393

                              SHA1

                              f63b01d519ad135ae76074d10f59f65bf2c2268b

                              SHA256

                              26d8ca7243fa2eda8291ede91a36c6dbe6f805693f1c13c26c76ef2251eabdb9

                              SHA512

                              128cc844b573498cd70eb4525e999246f59cd0f7fe070bae81368010a56e983f8ad689b13957dfc9fa0b38c35c40a059a2a834d31e41615a7acc42806649eea6

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\libcrypto-3.dll

                              Filesize

                              4.4MB

                              MD5

                              dd3701505cb131ad88a5b7260fe9e8b6

                              SHA1

                              e211ddd09263dee72312c52693b521c750bdb337

                              SHA256

                              ed039ce6adc8eec816bcea43670dc5a6cf12d900af6b44b446fcbc0330724ba4

                              SHA512

                              c8d2c481c878d9b8513feffdac91680f93be8f1ba37ee15957a7c7923a76c22c75b54971456a57d1e3d20aacb5ce586be39b3e929334987f743a738d027aa780

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\libcrypto-3.dll

                              Filesize

                              2.5MB

                              MD5

                              ed393417bccb40e2f62ecdded772a520

                              SHA1

                              fa6135a8111857c82ce6b8f362c6749a155a51fa

                              SHA256

                              861c33d87e6f2b9574d61d30dbeb7e4bb2a5756a86d18730d99de7d3e401f343

                              SHA512

                              07af91371865c81b3518826722ee407ed5121162a94385808ff9ae235c52230be5b71c99e396cc9502c2171a0a9eb34bad427cab962788b7785d289530e58f3d

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\libcrypto-3.dll

                              Filesize

                              2.1MB

                              MD5

                              204167d7b96a364aef11693fc895ae82

                              SHA1

                              cc8a0660b8b4b1ce8a8363fbbbfd15f7752c3cbe

                              SHA256

                              b7d49c9782bee7fea6185681c48469a8e010308910b9ab1e02b165eb7eb4bc05

                              SHA512

                              8ebbf855a46aef5a5b2e4eadc92dfb19120e48402bf8c71c7ad0737ed71e1f54efcbabdc88fe1fa344ab9ff7a9284160155b4e888bf231f0bc40b7799d2bd241

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\libffi-8.dll

                              Filesize

                              38KB

                              MD5

                              0f8e4992ca92baaf54cc0b43aaccce21

                              SHA1

                              c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

                              SHA256

                              eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

                              SHA512

                              6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\libssl-3.dll

                              Filesize

                              768KB

                              MD5

                              19a2aba25456181d5fb572d88ac0e73e

                              SHA1

                              656ca8cdfc9c3a6379536e2027e93408851483db

                              SHA256

                              2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

                              SHA512

                              df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\pyexpat.pyd

                              Filesize

                              194KB

                              MD5

                              f179c9bdd86a2a218a5bf9f0f1cf6cd9

                              SHA1

                              4544fb23d56cc76338e7f71f12f58c5fe89d0d76

                              SHA256

                              c42874e2cf034fb5034f0be35f7592b8a96e8903218da42e6650c504a85b37cc

                              SHA512

                              3464ece5c6a0e95ef6136897b70a96c69e552d28bfedd266f13eec840e36ec2286a1fb8973b212317de6fe3e93d7d7cc782eb6fc3d6a2a8f006b34f6443498de

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\python312.dll

                              Filesize

                              2.4MB

                              MD5

                              0206b294c6a32c63dfdbb5e87b5580e9

                              SHA1

                              f328f90c3e68e661665ea1a12b4b6aa61a66dbbc

                              SHA256

                              a4aa513abab33cd8b7f4d642ba6c7c106625459c438b2098869c7c1cf0406a6b

                              SHA512

                              f9f5ffa151094938f57d2f976bfa984fe5c137c275d85b6389ab1b6fc382adb4d92eed3917a598db61122d3d124a9fa4a51c33cb4e2b36353699cbcfa696160e

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\python312.dll

                              Filesize

                              832KB

                              MD5

                              fa6497a63c66cbcedfd65f85a1b493f0

                              SHA1

                              329dacc11cde1bbe6bf79da80b1ae22d16a02496

                              SHA256

                              713d84f033fdbbea0c28d481aa30959f750bf0eca740d8773025efa44162ba23

                              SHA512

                              7c24926cfcee382255e107cb2d4b4e8e153585dff1be1f6b1c1035838bd31864294c1b486668bc078a1fcae3d1d5cce9e4510b0371aebb12b7ddf5177053aef6

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\select.pyd

                              Filesize

                              29KB

                              MD5

                              8a273f518973801f3c63d92ad726ec03

                              SHA1

                              069fc26b9bd0f6ea3f9b3821ad7c812fd94b021f

                              SHA256

                              af358285a7450de6e2e5e7ff074f964d6a257fb41d9eb750146e03c7dda503ca

                              SHA512

                              7fedae0573ecb3946ede7d0b809a98acad3d4c95d6c531a40e51a31bdb035badc9f416d8aaa26463784ff2c5e7a0cc2c793d62b5fdb2b8e9fad357f93d3a65f8

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\sqlite3.dll

                              Filesize

                              1.4MB

                              MD5

                              c1161c1cec57c5fff89d10b62a8e2c3a

                              SHA1

                              c4f5dea84a295ec3ff10307a0ea3ba8d150be235

                              SHA256

                              d1fd3040acddf6551540c2be6ff2e3738f7bd4dfd73f0e90a9400ff784dd15e6

                              SHA512

                              d545a6dc30f1d343edf193972833c4c69498dc4ea67278c996426e092834cb6d814ce98e1636c485f9b1c47ad5c68d6f432e304cd93ceed0e1e14feaf39b104a

                            • C:\Users\Admin\AppData\Local\Temp\_MEI8282\unicodedata.pyd

                              Filesize

                              1.1MB

                              MD5

                              04f35d7eec1f6b72bab9daf330fd0d6b

                              SHA1

                              ecf0c25ba7adf7624109e2720f2b5930cd2dba65

                              SHA256

                              be942308d99cc954931fe6f48ed8cc7a57891ccbe99aae728121bcda1fd929ab

                              SHA512

                              3da405e4c1371f4b265e744229dcc149491a112a2b7ea8e518d5945f8c259cad15583f25592b35ec8a344e43007ae00da9673822635ee734d32664f65c9c8d9b

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2mwpd1pz.y5h.ps1

                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                            • C:\Users\Admin\AppData\Local\Temp\creal.exe

                              Filesize

                              3.8MB

                              MD5

                              27a6867080c6c3a006e6545f4b24f122

                              SHA1

                              9aec6501cf1e11630b8f1a27cd77ef853ed66db4

                              SHA256

                              aa79e63b93c76472f5852f4082e05ba1f9fdd10464dd9f494be1cef1c2a35afc

                              SHA512

                              b9795ec7089905a54376f6d150454f974ec2b38d0563c25ce0e37e356a2537f9ec9e785ef81908593478e2dacfb1f28653bfde0babc75632be88afe9037ac701

                            • C:\Users\Admin\AppData\Local\Temp\creal.exe

                              Filesize

                              3.1MB

                              MD5

                              35499a90e75eb907639e1aaadfc2ed1e

                              SHA1

                              575b79d233c5ae29f8d2cc6fa1767e8c30bd4363

                              SHA256

                              4c46d32148ce1eba7e05a8139858b0498e3d217600a1656a7a626bece2eafc30

                              SHA512

                              01b6051913945aa4e2e7f35e5c371f81259db1aa634988f6605440a7993be3a343f54145cbcfc6827c7e3e83742a55cdbe08e3f46637c2852a4edfe80b2021cf

                            • C:\Users\Admin\AppData\Local\Temp\creal.exe

                              Filesize

                              2.9MB

                              MD5

                              97b7b754add895e79946b101f440fd16

                              SHA1

                              864d358b281bdbb4013a016ed23437fbcb67ccfc

                              SHA256

                              333d5b33dea6b4a789cf040990570f97b01e385befa310d0b37c5c30674a5960

                              SHA512

                              86f5bd6f6805a5755509ea8ad3abb46e1a9d460eaa06e246774811b1af104943b31ccc193341ab5535282df499cc0dc36aed38ee736e09b2144cd9e90b8fd27a

                            • C:\Users\Admin\AppData\Local\Temp\creal.exe

                              Filesize

                              2.4MB

                              MD5

                              50f58bf46d72b55b090cd02182ae810c

                              SHA1

                              d9e17356da5648178fc4be5ce89abb743d768d29

                              SHA256

                              7fe9a7993eb2da00b3b8cbfa5ff387ab697648933d35511ff2b25501583c959b

                              SHA512

                              364bc02bcbafaebb755f7ac65d8c2615cd09b55056d334dccbaee42e5fad32b71c41853294245365eb998cabc0dec2013daf5da2913bec5a2b44f17190452791

                            • C:\Users\Admin\AppData\Roaming\app

                              Filesize

                              5B

                              MD5

                              8fc22f973bec7f0525710dcf02f05edf

                              SHA1

                              418f88fe2c59f8d9579994aec4034d785e8ac00c

                              SHA256

                              ba0e21ceb11b1ec62709b0141373ce65de5a156b822c9b6d3c3f9ed9ab224a46

                              SHA512

                              ac280118b4b0ee9643ecc464bfc91682ccccd530efa81dcc3d9471044305d59de661f865560206f089822299cb431dbad9f81a16ad667251375746d406f2b44d

                            • memory/336-141-0x0000000073410000-0x00000000739C1000-memory.dmp

                              Filesize

                              5.7MB

                            • memory/336-140-0x0000000000730000-0x0000000000740000-memory.dmp

                              Filesize

                              64KB

                            • memory/336-139-0x0000000073410000-0x00000000739C1000-memory.dmp

                              Filesize

                              5.7MB

                            • memory/2036-198-0x00007FFA0AC40000-0x00007FFA0B701000-memory.dmp

                              Filesize

                              10.8MB

                            • memory/2036-210-0x0000025550940000-0x0000025550962000-memory.dmp

                              Filesize

                              136KB

                            • memory/2036-200-0x0000025550980000-0x0000025550990000-memory.dmp

                              Filesize

                              64KB

                            • memory/2036-199-0x0000025550980000-0x0000025550990000-memory.dmp

                              Filesize

                              64KB

                            • memory/3252-17-0x0000000000E80000-0x0000000000E90000-memory.dmp

                              Filesize

                              64KB

                            • memory/3252-13-0x0000000073410000-0x00000000739C1000-memory.dmp

                              Filesize

                              5.7MB

                            • memory/3252-16-0x0000000073410000-0x00000000739C1000-memory.dmp

                              Filesize

                              5.7MB

                            • memory/3252-138-0x0000000073410000-0x00000000739C1000-memory.dmp

                              Filesize

                              5.7MB

                            • memory/3904-161-0x00000241853E0000-0x00000241853E1000-memory.dmp

                              Filesize

                              4KB

                            • memory/3904-164-0x00000241853E0000-0x00000241853E1000-memory.dmp

                              Filesize

                              4KB

                            • memory/3904-163-0x00000241853E0000-0x00000241853E1000-memory.dmp

                              Filesize

                              4KB

                            • memory/3904-165-0x00000241853E0000-0x00000241853E1000-memory.dmp

                              Filesize

                              4KB

                            • memory/3904-166-0x00000241853E0000-0x00000241853E1000-memory.dmp

                              Filesize

                              4KB

                            • memory/3904-162-0x00000241853E0000-0x00000241853E1000-memory.dmp

                              Filesize

                              4KB

                            • memory/3904-160-0x00000241853E0000-0x00000241853E1000-memory.dmp

                              Filesize

                              4KB

                            • memory/3904-156-0x00000241853E0000-0x00000241853E1000-memory.dmp

                              Filesize

                              4KB

                            • memory/3904-154-0x00000241853E0000-0x00000241853E1000-memory.dmp

                              Filesize

                              4KB

                            • memory/3904-155-0x00000241853E0000-0x00000241853E1000-memory.dmp

                              Filesize

                              4KB