Malware Analysis Report

2025-01-22 14:02

Sample ID 240224-sbg1mafa42
Target DeltaX.exe
SHA256 84f6b85e0e19306dcf3be51ccad790a4ceb8541f1c51a606df7464b7097c35a9
Tags
njrat hacked evasion pyinstaller trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

84f6b85e0e19306dcf3be51ccad790a4ceb8541f1c51a606df7464b7097c35a9

Threat Level: Known bad

The file DeltaX.exe was found to be: Known bad.

Malicious Activity Summary

njrat hacked evasion pyinstaller trojan

njRAT/Bladabindi

Modifies Windows Firewall

Disables Task Manager via registry modification

Executes dropped EXE

Loads dropped DLL

Drops startup file

Checks computer location settings

Looks up external IP address via web service

Drops file in System32 directory

Drops autorun.inf file

Drops file in Program Files directory

Enumerates physical storage devices

Detects Pyinstaller

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-24 14:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-24 14:56

Reported

2024-02-24 14:59

Platform

win7-20240221-en

Max time kernel

150s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DeltaX.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Disables Task Manager via registry modification

evasion

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\742480850a3c457758da290ee11e533cWindows Update.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\742480850a3c457758da290ee11e533cWindows Update.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Roaming\server.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\creal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Roaming\server.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Roaming\server.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Roaming\server.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Roaming\server.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File created C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Roaming\server.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File created C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Roaming\server.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DeltaX.exe C:\Users\Admin\AppData\Local\Temp\Lol.exe
PID 2184 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DeltaX.exe C:\Users\Admin\AppData\Local\Temp\Lol.exe
PID 2184 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DeltaX.exe C:\Users\Admin\AppData\Local\Temp\Lol.exe
PID 2184 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\DeltaX.exe C:\Users\Admin\AppData\Local\Temp\Lol.exe
PID 2184 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\DeltaX.exe C:\Users\Admin\AppData\Local\Temp\creal.exe
PID 2184 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\DeltaX.exe C:\Users\Admin\AppData\Local\Temp\creal.exe
PID 2184 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\DeltaX.exe C:\Users\Admin\AppData\Local\Temp\creal.exe
PID 2184 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\DeltaX.exe C:\Users\Admin\AppData\Local\Temp\creal.exe
PID 2584 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\creal.exe C:\Users\Admin\AppData\Local\Temp\creal.exe
PID 2584 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\creal.exe C:\Users\Admin\AppData\Local\Temp\creal.exe
PID 2584 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\creal.exe C:\Users\Admin\AppData\Local\Temp\creal.exe
PID 2292 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\Lol.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2292 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\Lol.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2292 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\Lol.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2292 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\Lol.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2708 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2708 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2708 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2708 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2708 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2708 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2708 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2708 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2708 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2708 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2708 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2708 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DeltaX.exe

"C:\Users\Admin\AppData\Local\Temp\DeltaX.exe"

C:\Users\Admin\AppData\Local\Temp\Lol.exe

"C:\Users\Admin\AppData\Local\Temp\Lol.exe"

C:\Users\Admin\AppData\Local\Temp\creal.exe

"C:\Users\Admin\AppData\Local\Temp\creal.exe"

C:\Users\Admin\AppData\Local\Temp\creal.exe

"C:\Users\Admin\AppData\Local\Temp\creal.exe"

C:\Users\Admin\AppData\Roaming\server.exe

"C:\Users\Admin\AppData\Roaming\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 kisel228.zapto.org udp
RU 95.86.227.200:25565 kisel228.zapto.org tcp

Files

\Users\Admin\AppData\Local\Temp\Lol.exe

MD5 9e4d9908815be3e2244c857863ec309a
SHA1 e0dc0c88151069986c7104d12fa3223ad1fe07bb
SHA256 a976cc4bb39183a99f5341cda18b789d1c345eaf37221c71291b823eb457c6be
SHA512 795bebd046b5c147fed8726a7f772d2e5900be31e1f1a81d4052619d4325e1f51445193319ad93e37d17c70d4ac0ff01d2ebbe6ac2d85c4feb91dbfe992d8b9b

memory/2292-14-0x00000000743F0000-0x000000007499B000-memory.dmp

memory/2292-15-0x0000000001E40000-0x0000000001E80000-memory.dmp

memory/2292-16-0x00000000743F0000-0x000000007499B000-memory.dmp

\Users\Admin\AppData\Local\Temp\creal.exe

MD5 d9b8dfa15afa11e9d5126329f3d67da5
SHA1 54064f76458e441777da96f466046babc6584d4c
SHA256 be225fbfa62dc4ddc1ed8043b3584ddd015a6e784d4d789d7b2c480bc6f5ded0
SHA512 1079e9db19fa6be808b90cb28f88eb85a55e2d6bde9230183cde3c00e1abcf0d31d3eb210bd5b66dafd436ce5ccc84e17b10922632b2c8a77f9019f6aea4dcef

C:\Users\Admin\AppData\Local\Temp\creal.exe

MD5 0df71ea36d67889f82cd0fa20df0e88b
SHA1 e51db4859ea6342a7e7b9457d4906d9f827a8241
SHA256 7ef378cc36bfe4645ace34415d28536bb37b696575c6ebd152fb0394fcbecea9
SHA512 6f540c79c86a003f4ea70405947c1206c8f2bd571c6463827e85cb15208bfc4b188496a9c415367dbbfe8d68f54b54ca52dd373a4f03b93fad856d64b744433a

C:\Users\Admin\AppData\Local\Temp\creal.exe

MD5 a577ee4f874c77abee0dd8d851d63fed
SHA1 21b7948183e9145c655ada94c8a4e076608cbe2d
SHA256 868cecb88e236d1dc17a44aea585a22eaaee65c2b94b4f4091f97c517e3a72b1
SHA512 fa11e3e3802a824a457d40966e99d62a650b294f2959cb0cc5560cb34dcd347ad839a4fd6501cfab094a95e7d0ebd1079fbbcacabe602478208fa11348c02032

C:\Users\Admin\AppData\Local\Temp\creal.exe

MD5 dc3314572c4e35d5c67ace9f63c6fc0c
SHA1 cd03bb0ccc7b54d99b17e60e6fc1000bb210e9c6
SHA256 014bbc2302e50792f9a4462d33437dccb9e1bb881b4662990f3ea6274432b37d
SHA512 8ecbc75a49e44ab80d4a300b25e7edec316f074428a4e87011bf287506c9a1afc20c7bdd37692e0e1ad7d1836ef6301d344e8832f124c204526d31f619f40599

C:\Users\Admin\AppData\Local\Temp\_MEI25842\python312.dll

MD5 da5cef5e2037fdca3ee02aec1f8f69fd
SHA1 5fd240e44e6f0f0736bf7d81a64b795e50afbfc2
SHA256 b21116ed96e06d6919b638d3cb5742efaf9f18d694dc83dbd7d21ed5cfafb9ae
SHA512 d49323abc61fb3dad9432354c2f68a1c711eef9819814ff942383387cefc197062e15d5b2f2e42c8cbf7c71969dcabd970c78457ba63d598a44d7ccc0fdfcf14

\Users\Admin\AppData\Local\Temp\creal.exe

MD5 fb735be885ccfd879036b74445cff875
SHA1 95d9ece7c90dd8896a9f714a44545d6cb0dd1845
SHA256 15c730b600aafb39c7681afca3e56b73e38bcae0e050d0970a925a530abca71e
SHA512 42417b337912de8b7b91490e82aa44c75b9ebbf62571f1f44aca008ccaa3d02a169823a2570d67e0fd26f7d6a02e2eab18fceb6db26528e9ba4406d7bd410e90

\Users\Admin\AppData\Local\Temp\_MEI25842\python312.dll

MD5 11343d52a814181586f690c508f55f7e
SHA1 49af301e29cb6e10d2feb39a196b4fb1534ebeb6
SHA256 a137d746379ad62e23e1653377d7874ebfbc8fe3461eba193fbdb482dc2c5c57
SHA512 ada2553df7b0016e8ed3890867a666713e8c53e181414226225ebfdad55455686282939ceba8a4d2a5eb77e6d97ea44f21ca52525135725706a69af2beb16d76

memory/2708-108-0x00000000743F0000-0x000000007499B000-memory.dmp

memory/2292-107-0x00000000743F0000-0x000000007499B000-memory.dmp

memory/2708-109-0x0000000002010000-0x0000000002050000-memory.dmp

C:\Users\Admin\AppData\Roaming\app

MD5 8fc22f973bec7f0525710dcf02f05edf
SHA1 418f88fe2c59f8d9579994aec4034d785e8ac00c
SHA256 ba0e21ceb11b1ec62709b0141373ce65de5a156b822c9b6d3c3f9ed9ab224a46
SHA512 ac280118b4b0ee9643ecc464bfc91682ccccd530efa81dcc3d9471044305d59de661f865560206f089822299cb431dbad9f81a16ad667251375746d406f2b44d

\Users\Admin\AppData\Local\Temp\creal.exe

MD5 c42ce1daab954c914ac45c4c2c76a987
SHA1 8b658eb881999ca434ce9fd719958b87d87acc78
SHA256 9be4820a80961afba1782c514dcc5ef82fe604154949e3002784bae2c3dde826
SHA512 09ff3485a87aaa39dd013b8f6fc8e6844300d40acfe8b442fb8a940e1a0654cd5fc4fc41d12759c28ca36f8f85742d5de2239d452f152924ad0157f4e68e7973

memory/2708-214-0x00000000743F0000-0x000000007499B000-memory.dmp

memory/2708-215-0x00000000743F0000-0x000000007499B000-memory.dmp

memory/2708-216-0x0000000002010000-0x0000000002050000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-24 14:56

Reported

2024-02-24 14:58

Platform

win10v2004-20240221-en

Max time kernel

8s

Max time network

7s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DeltaX.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DeltaX.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\creal.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\DeltaX.exe

"C:\Users\Admin\AppData\Local\Temp\DeltaX.exe"

C:\Users\Admin\AppData\Local\Temp\Lol.exe

"C:\Users\Admin\AppData\Local\Temp\Lol.exe"

C:\Users\Admin\AppData\Local\Temp\creal.exe

"C:\Users\Admin\AppData\Local\Temp\creal.exe"

C:\Users\Admin\AppData\Local\Temp\creal.exe

"C:\Users\Admin\AppData\Local\Temp\creal.exe"

C:\Users\Admin\AppData\Roaming\server.exe

"C:\Users\Admin\AppData\Roaming\server.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl http://api.ipify.org/ --ssl-no-revoke"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE

C:\Windows\system32\curl.exe

curl http://api.ipify.org/ --ssl-no-revoke

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic bios get smbiosbiosversion"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic MemoryChip get /format:list | find /i "Speed""

C:\Windows\System32\Wbem\WMIC.exe

wmic MemoryChip get /format:list

C:\Windows\system32\find.exe

find /i "Speed"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell wininit.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell wininit.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE

C:\Windows\system32\wininit.exe

"C:\Windows\system32\wininit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:80 api.ipify.org tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Lol.exe

MD5 9e4d9908815be3e2244c857863ec309a
SHA1 e0dc0c88151069986c7104d12fa3223ad1fe07bb
SHA256 a976cc4bb39183a99f5341cda18b789d1c345eaf37221c71291b823eb457c6be
SHA512 795bebd046b5c147fed8726a7f772d2e5900be31e1f1a81d4052619d4325e1f51445193319ad93e37d17c70d4ac0ff01d2ebbe6ac2d85c4feb91dbfe992d8b9b

memory/3252-13-0x0000000073410000-0x00000000739C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\creal.exe

MD5 27a6867080c6c3a006e6545f4b24f122
SHA1 9aec6501cf1e11630b8f1a27cd77ef853ed66db4
SHA256 aa79e63b93c76472f5852f4082e05ba1f9fdd10464dd9f494be1cef1c2a35afc
SHA512 b9795ec7089905a54376f6d150454f974ec2b38d0563c25ce0e37e356a2537f9ec9e785ef81908593478e2dacfb1f28653bfde0babc75632be88afe9037ac701

memory/3252-17-0x0000000000E80000-0x0000000000E90000-memory.dmp

memory/3252-16-0x0000000073410000-0x00000000739C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\creal.exe

MD5 97b7b754add895e79946b101f440fd16
SHA1 864d358b281bdbb4013a016ed23437fbcb67ccfc
SHA256 333d5b33dea6b4a789cf040990570f97b01e385befa310d0b37c5c30674a5960
SHA512 86f5bd6f6805a5755509ea8ad3abb46e1a9d460eaa06e246774811b1af104943b31ccc193341ab5535282df499cc0dc36aed38ee736e09b2144cd9e90b8fd27a

C:\Users\Admin\AppData\Local\Temp\creal.exe

MD5 35499a90e75eb907639e1aaadfc2ed1e
SHA1 575b79d233c5ae29f8d2cc6fa1767e8c30bd4363
SHA256 4c46d32148ce1eba7e05a8139858b0498e3d217600a1656a7a626bece2eafc30
SHA512 01b6051913945aa4e2e7f35e5c371f81259db1aa634988f6605440a7993be3a343f54145cbcfc6827c7e3e83742a55cdbe08e3f46637c2852a4edfe80b2021cf

C:\Users\Admin\AppData\Local\Temp\_MEI8282\python312.dll

MD5 0206b294c6a32c63dfdbb5e87b5580e9
SHA1 f328f90c3e68e661665ea1a12b4b6aa61a66dbbc
SHA256 a4aa513abab33cd8b7f4d642ba6c7c106625459c438b2098869c7c1cf0406a6b
SHA512 f9f5ffa151094938f57d2f976bfa984fe5c137c275d85b6389ab1b6fc382adb4d92eed3917a598db61122d3d124a9fa4a51c33cb4e2b36353699cbcfa696160e

C:\Users\Admin\AppData\Local\Temp\creal.exe

MD5 50f58bf46d72b55b090cd02182ae810c
SHA1 d9e17356da5648178fc4be5ce89abb743d768d29
SHA256 7fe9a7993eb2da00b3b8cbfa5ff387ab697648933d35511ff2b25501583c959b
SHA512 364bc02bcbafaebb755f7ac65d8c2615cd09b55056d334dccbaee42e5fad32b71c41853294245365eb998cabc0dec2013daf5da2913bec5a2b44f17190452791

C:\Users\Admin\AppData\Local\Temp\_MEI8282\python312.dll

MD5 fa6497a63c66cbcedfd65f85a1b493f0
SHA1 329dacc11cde1bbe6bf79da80b1ae22d16a02496
SHA256 713d84f033fdbbea0c28d481aa30959f750bf0eca740d8773025efa44162ba23
SHA512 7c24926cfcee382255e107cb2d4b4e8e153585dff1be1f6b1c1035838bd31864294c1b486668bc078a1fcae3d1d5cce9e4510b0371aebb12b7ddf5177053aef6

C:\Users\Admin\AppData\Local\Temp\_MEI8282\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI8282\base_library.zip

MD5 c42abdd15ffe6aef8c75b6f01dfdd393
SHA1 f63b01d519ad135ae76074d10f59f65bf2c2268b
SHA256 26d8ca7243fa2eda8291ede91a36c6dbe6f805693f1c13c26c76ef2251eabdb9
SHA512 128cc844b573498cd70eb4525e999246f59cd0f7fe070bae81368010a56e983f8ad689b13957dfc9fa0b38c35c40a059a2a834d31e41615a7acc42806649eea6

C:\Users\Admin\AppData\Local\Temp\_MEI8282\_bz2.pyd

MD5 59d60a559c23202beb622021af29e8a9
SHA1 a405f23916833f1b882f37bdbba2dd799f93ea32
SHA256 706d4a0c26dd454538926cbb2ff6c64257c3d9bd48c956f7cabd6def36ffd13e
SHA512 2f60e79603cf456b2a14b8254cec75ce8be0a28d55a874d4fb23d92d63bbe781ed823ab0f4d13a23dc60c4df505cbf1dbe1a0a2049b02e4bdec8d374898002b1

C:\Users\Admin\AppData\Local\Temp\_MEI8282\_lzma.pyd

MD5 8e37104c43036438941309b575fd3f5e
SHA1 a9480743462956ab8d75768dada5ab68f9814839
SHA256 0051b6d2d3cc1a4bfa8f829b47b4fb53be62ef7e3ce29aa67ae959743faca27d
SHA512 5ec7a2c31d90d4d3cb7c0cd230fa3ebbc5f63e7603316c9e59a66450f374279e8111b3b0512f5e456a72fe6c9d12de935a173708bcc9b0df76e5813481a83af5

C:\Users\Admin\AppData\Local\Temp\_MEI8282\_wmi.pyd

MD5 c1654ebebfeeda425eade8b77ca96de5
SHA1 a4a150f1c810077b6e762f689c657227cc4fd257
SHA256 aa1443a715fbf84a84f39bd89707271fc11a77b597d7324ce86fc5cfa56a63a9
SHA512 21705b991e75efd5e59b8431a3b19ae5fcc38a3e7f137a9d52acd24e7f67d61758e48abc1c9c0d4314fa02010a1886c15ead5bca8dca1b1d4ccbfc3c589d342e

C:\Users\Admin\AppData\Local\Temp\_MEI8282\_ssl.pyd

MD5 408ef598f2e1a68b5af03e95f4c41207
SHA1 6d690f85e1a3d12b589cba5b4f3d574c11f61728
SHA256 1ab01307cf3f79c957acb790f325c87868f7389b33c8ea1eb238060d14610e30
SHA512 6495f08021bafe82109e4bed9c8ea5fe1615785586be03e0150943f6004a3e361c4349a0d2af4328b58bed29e4bc92b7729e2fa6447267678ccb8d755eefbdbe

C:\Users\Admin\AppData\Local\Temp\_MEI8282\_socket.pyd

MD5 9c6283cc17f9d86106b706ec4ea77356
SHA1 af4f2f52ce6122f340e5ea1f021f98b1ffd6d5b6
SHA256 5cc62aac52edf87916deb4ebbad9abb58a6a3565b32e7544f672aca305c38027
SHA512 11fd6f570dd78f8ff00be645e47472a96daffa3253e8bd29183bccde3f0746f7e436a106e9a68c57cc05b80a112365441d06cc719d51c906703b428a32c93124

C:\Users\Admin\AppData\Local\Temp\_MEI8282\_queue.pyd

MD5 f3eca4f0b2c6c17ace348e06042981a4
SHA1 eb694dda8ff2fe4ccae876dc0515a8efec40e20e
SHA256 fb57ee6adf6e7b11451b6920ddd2fb943dcd9561c9eae64fdda27c7ed0bc1b04
SHA512 604593460666045ca48f63d4b14fa250f9c4b9e5c7e228cc9202e7692c125aacb0018b89faa562a4197692a9bc3d2382f9e085b305272ee0a39264a2a0f53b75

C:\Users\Admin\AppData\Local\Temp\_MEI8282\select.pyd

MD5 8a273f518973801f3c63d92ad726ec03
SHA1 069fc26b9bd0f6ea3f9b3821ad7c812fd94b021f
SHA256 af358285a7450de6e2e5e7ff074f964d6a257fb41d9eb750146e03c7dda503ca
SHA512 7fedae0573ecb3946ede7d0b809a98acad3d4c95d6c531a40e51a31bdb035badc9f416d8aaa26463784ff2c5e7a0cc2c793d62b5fdb2b8e9fad357f93d3a65f8

C:\Users\Admin\AppData\Local\Temp\_MEI8282\_sqlite3.pyd

MD5 506b13dd3d5892b16857e3e3b8a95afb
SHA1 42e654b36f1c79000084599d49b862e4e23d75ff
SHA256 04f645a32b0c58760cc6c71d09224fe90e50409ef5c81d69c85d151dfe65aff9
SHA512 a94f0e9f2212e0b89eb0b5c64598b18af71b59e1297f0f6475fa4674ae56780b1e586b5eb952c8c9febad38c28afd784273bbf56645db2c405afae6f472fb65c

C:\Users\Admin\AppData\Local\Temp\_MEI8282\_overlapped.pyd

MD5 61193e813a61a545e2d366439c1ee22a
SHA1 f404447b0d9bff49a7431c41653633c501986d60
SHA256 c21b50a7bf9dbe1a0768f5030cac378d58705a9fe1f08d953129332beb0fbefc
SHA512 747e4d5ea1bdf8c1e808579498834e1c24641d434546bffdfcf326e0de8d5814504623a3d3729168b0098824c2b8929afc339674b0d923388b9dac66f5d9d996

C:\Users\Admin\AppData\Local\Temp\_MEI8282\_multiprocessing.pyd

MD5 4ccbd87d76af221f24221530f5f035d1
SHA1 d02b989aaac7657e8b3a70a6ee7758a0b258851b
SHA256 c7bbcfe2511fd1b71b916a22ad6537d60948ffa7bde207fefabee84ef53cafb5
SHA512 34d808adac96a66ca434d209f2f151a9640b359b8419dc51ba24477e485685af10c4596a398a85269e8f03f0fc533645907d7d854733750a35bf6c691de37799

C:\Users\Admin\AppData\Local\Temp\_MEI8282\_hashlib.pyd

MD5 b0262bd89a59a3699bfa75c4dcc3ee06
SHA1 eb658849c646a26572dea7f6bfc042cb62fb49dc
SHA256 4adfbbd6366d9b55d902fc54d2b42e7c8c989a83016ed707bd7a302fc3fc7b67
SHA512 2e4b214de3b306e3a16124af434ff8f5ab832aa3eeb1aa0aa9b49b0ada0928dcbb05c57909292fbe3b01126f4cd3fe0dac9cc15eaea5f3844d6e267865b9f7b1

C:\Users\Admin\AppData\Local\Temp\_MEI8282\_decimal.pyd

MD5 f930b7550574446a015bc602d59b0948
SHA1 4ee6ff8019c6c540525bdd2790fc76385cdd6186
SHA256 3b9ad1d2bc9ec03d37da86135853dac73b3fe851b164fe52265564a81eb8c544
SHA512 10b864975945d6504433554f9ff11b47218caa00f809c6bce00f9e4089b862190a4219f659697a4ba5e5c21edbe1d8d325950921e09371acc4410469bd9189ee

C:\Users\Admin\AppData\Local\Temp\_MEI8282\_cffi_backend.cp312-win_amd64.pyd

MD5 0572b13646141d0b1a5718e35549577c
SHA1 eeb40363c1f456c1c612d3c7e4923210eae4cdf7
SHA256 d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7
SHA512 67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

C:\Users\Admin\AppData\Local\Temp\_MEI8282\_asyncio.pyd

MD5 209cbcb4e1a16aa39466a6119322343c
SHA1 cdcce6b64ebf11fecff739cbc57e7a98d6620801
SHA256 f7069734d5174f54e89b88d717133bff6a41b01e57f79957ab3f02daa583f9e2
SHA512 5bbc4ede01729e628260cf39df5809624eae795fd7d51a1ed770ed54663955674593a97b78f66dbf6ae268186273840806ed06d6f7877444d32fdca031a9f0da

C:\Users\Admin\AppData\Local\Temp\_MEI8282\VCRUNTIME140_1.dll

MD5 f8dfa78045620cf8a732e67d1b1eb53d
SHA1 ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256 a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512 ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

C:\Users\Admin\AppData\Local\Temp\_MEI8282\unicodedata.pyd

MD5 04f35d7eec1f6b72bab9daf330fd0d6b
SHA1 ecf0c25ba7adf7624109e2720f2b5930cd2dba65
SHA256 be942308d99cc954931fe6f48ed8cc7a57891ccbe99aae728121bcda1fd929ab
SHA512 3da405e4c1371f4b265e744229dcc149491a112a2b7ea8e518d5945f8c259cad15583f25592b35ec8a344e43007ae00da9673822635ee734d32664f65c9c8d9b

C:\Users\Admin\AppData\Local\Temp\_MEI8282\sqlite3.dll

MD5 c1161c1cec57c5fff89d10b62a8e2c3a
SHA1 c4f5dea84a295ec3ff10307a0ea3ba8d150be235
SHA256 d1fd3040acddf6551540c2be6ff2e3738f7bd4dfd73f0e90a9400ff784dd15e6
SHA512 d545a6dc30f1d343edf193972833c4c69498dc4ea67278c996426e092834cb6d814ce98e1636c485f9b1c47ad5c68d6f432e304cd93ceed0e1e14feaf39b104a

C:\Users\Admin\AppData\Local\Temp\_MEI8282\pyexpat.pyd

MD5 f179c9bdd86a2a218a5bf9f0f1cf6cd9
SHA1 4544fb23d56cc76338e7f71f12f58c5fe89d0d76
SHA256 c42874e2cf034fb5034f0be35f7592b8a96e8903218da42e6650c504a85b37cc
SHA512 3464ece5c6a0e95ef6136897b70a96c69e552d28bfedd266f13eec840e36ec2286a1fb8973b212317de6fe3e93d7d7cc782eb6fc3d6a2a8f006b34f6443498de

C:\Users\Admin\AppData\Local\Temp\_MEI8282\libssl-3.dll

MD5 19a2aba25456181d5fb572d88ac0e73e
SHA1 656ca8cdfc9c3a6379536e2027e93408851483db
SHA256 2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006
SHA512 df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

C:\Users\Admin\AppData\Local\Temp\_MEI8282\libcrypto-3.dll

MD5 dd3701505cb131ad88a5b7260fe9e8b6
SHA1 e211ddd09263dee72312c52693b521c750bdb337
SHA256 ed039ce6adc8eec816bcea43670dc5a6cf12d900af6b44b446fcbc0330724ba4
SHA512 c8d2c481c878d9b8513feffdac91680f93be8f1ba37ee15957a7c7923a76c22c75b54971456a57d1e3d20aacb5ce586be39b3e929334987f743a738d027aa780

C:\Users\Admin\AppData\Local\Temp\_MEI8282\_lzma.pyd

MD5 b71dbe0f137ffbda6c3a89d5bcbf1017
SHA1 a2e2bdc40fdb83cc625c5b5e8a336ca3f0c29c5f
SHA256 6216173194b29875e84963cd4dc4752f7ca9493f5b1fd7e4130ca0e411c8ac6a
SHA512 9a5c7b1e25d8e1b5738f01aedfd468c1837f1ac8dd4a5b1d24ce86dcae0db1c5b20f2ff4280960bc523aee70b71db54fd515047cdaf10d21a8bec3ebd6663358

C:\Users\Admin\AppData\Local\Temp\_MEI8282\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI8282\_ctypes.pyd

MD5 2a834c3738742d45c0a06d40221cc588
SHA1 606705a593631d6767467fb38f9300d7cd04ab3e
SHA256 f20dfa748b878751ea1c4fe77a230d65212720652b99c4e5577bce461bbd9089
SHA512 924235a506ce4d635fa7c2b34e5d8e77eff73f963e58e29c6ef89db157bf7bab587678bb2120d09da70594926d82d87dbaa5d247e861e331cf591d45ea19a117

memory/336-139-0x0000000073410000-0x00000000739C1000-memory.dmp

memory/336-140-0x0000000000730000-0x0000000000740000-memory.dmp

memory/3252-138-0x0000000073410000-0x00000000739C1000-memory.dmp

memory/336-141-0x0000000073410000-0x00000000739C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\app

MD5 8fc22f973bec7f0525710dcf02f05edf
SHA1 418f88fe2c59f8d9579994aec4034d785e8ac00c
SHA256 ba0e21ceb11b1ec62709b0141373ce65de5a156b822c9b6d3c3f9ed9ab224a46
SHA512 ac280118b4b0ee9643ecc464bfc91682ccccd530efa81dcc3d9471044305d59de661f865560206f089822299cb431dbad9f81a16ad667251375746d406f2b44d

C:\Users\Admin\AppData\Local\Temp\_MEI8282\_ssl.pyd

MD5 ddb21bd1acde4264754c49842de7ebc9
SHA1 80252d0e35568e68ded68242d76f2a5d7e00001e
SHA256 72bb15cd8c14ba008a52d23cdcfc851a9a4bde13deee302a5667c8ad60f94a57
SHA512 464520ecd1587f5cede6219faac2c903ee41d0e920bf3c9c270a544b040169dcd17a4e27f6826f480d4021077ab39a6cbbd35ebb3d71672ebb412023bc9e182a

C:\Users\Admin\AppData\Local\Temp\_MEI8282\libcrypto-3.dll

MD5 204167d7b96a364aef11693fc895ae82
SHA1 cc8a0660b8b4b1ce8a8363fbbbfd15f7752c3cbe
SHA256 b7d49c9782bee7fea6185681c48469a8e010308910b9ab1e02b165eb7eb4bc05
SHA512 8ebbf855a46aef5a5b2e4eadc92dfb19120e48402bf8c71c7ad0737ed71e1f54efcbabdc88fe1fa344ab9ff7a9284160155b4e888bf231f0bc40b7799d2bd241

C:\Users\Admin\AppData\Local\Temp\_MEI8282\libcrypto-3.dll

MD5 ed393417bccb40e2f62ecdded772a520
SHA1 fa6135a8111857c82ce6b8f362c6749a155a51fa
SHA256 861c33d87e6f2b9574d61d30dbeb7e4bb2a5756a86d18730d99de7d3e401f343
SHA512 07af91371865c81b3518826722ee407ed5121162a94385808ff9ae235c52230be5b71c99e396cc9502c2171a0a9eb34bad427cab962788b7785d289530e58f3d

memory/3904-155-0x00000241853E0000-0x00000241853E1000-memory.dmp

memory/3904-154-0x00000241853E0000-0x00000241853E1000-memory.dmp

memory/3904-156-0x00000241853E0000-0x00000241853E1000-memory.dmp

memory/3904-160-0x00000241853E0000-0x00000241853E1000-memory.dmp

memory/3904-161-0x00000241853E0000-0x00000241853E1000-memory.dmp

memory/3904-162-0x00000241853E0000-0x00000241853E1000-memory.dmp

memory/3904-164-0x00000241853E0000-0x00000241853E1000-memory.dmp

memory/3904-163-0x00000241853E0000-0x00000241853E1000-memory.dmp

memory/3904-165-0x00000241853E0000-0x00000241853E1000-memory.dmp

memory/3904-166-0x00000241853E0000-0x00000241853E1000-memory.dmp

memory/2036-198-0x00007FFA0AC40000-0x00007FFA0B701000-memory.dmp

memory/2036-199-0x0000025550980000-0x0000025550990000-memory.dmp

memory/2036-200-0x0000025550980000-0x0000025550990000-memory.dmp

memory/2036-210-0x0000025550940000-0x0000025550962000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2mwpd1pz.y5h.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82