Malware Analysis Report

2025-03-15 06:25

Sample ID 240125-gfqyjsaaaq
Target d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe
SHA256 d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9
Tags
hacked njrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9

Threat Level: Known bad

The file d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe was found to be: Known bad.

Malicious Activity Summary

hacked njrat persistence trojan

Njrat family

njRAT/Bladabindi

Executes dropped EXE

Drops startup file

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 05:45

Signatures

Njrat family

njrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 05:45

Reported

2024-01-25 05:47

Platform

win7-20231129-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 1680 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 1680 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 1680 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 1680 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe C:\Windows\SysWOW64\attrib.exe
PID 1680 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe C:\Windows\SysWOW64\attrib.exe
PID 1680 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe C:\Windows\SysWOW64\attrib.exe
PID 1680 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe

"C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe"

C:\Users\Admin\AppData\Local\Temp\Payload.exe

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"

Network

Country Destination Domain Proto
N/A 172.20.6.206:1992 tcp
N/A 172.20.6.206:1992 tcp
N/A 172.20.6.206:1992 tcp
N/A 172.20.6.206:1992 tcp
N/A 172.20.6.206:1992 tcp
N/A 172.20.6.206:1992 tcp

Files

memory/1680-0-0x0000000074110000-0x00000000746BB000-memory.dmp

memory/1680-1-0x0000000074110000-0x00000000746BB000-memory.dmp

memory/1680-2-0x0000000000310000-0x0000000000350000-memory.dmp

\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 a5ad2d1796744144d739569bb466b307
SHA1 42de0164c8cbd9b6c64100de720d2e0c49ebcb77
SHA256 d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9
SHA512 45fa09478a871a75f4650a56529632bfddf93990819c6d5212753325305a7946c631076897b13e62297136ae26db064fef701dea23453ea504b4c2517d5e74b9

memory/1680-13-0x0000000074110000-0x00000000746BB000-memory.dmp

memory/2540-14-0x0000000000500000-0x0000000000540000-memory.dmp

memory/2540-12-0x0000000074110000-0x00000000746BB000-memory.dmp

memory/2540-15-0x0000000074110000-0x00000000746BB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

MD5 406cb5d8884554b910ec2985051e04b9
SHA1 6c2caa778ff91890041c687a8f0d7bfb3496c72d
SHA256 6f65ea8e387ca72e00d035cd0c38570a196414187ff069577491764e1f601bd1
SHA512 2f8418c76878a6e1dec7fe2ce4e7f47734cd01e9a8c812995263e5f57a67adc4761923a2c00a9cffecec73b2080e8f03c6fcd07d6d18b5c0154cd2542f02a182

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

MD5 7cbc2d82c4f90ff978979a21634aa85e
SHA1 cc595afa4a2f17360b23218aa002e3e31e29b408
SHA256 21f7e2b15bbe313f5bb49f27e5a11296c63cf26c625e2da423b1e18df0bbb5a0
SHA512 3c11f0c560084e7e85183a0d28463308ce9df197616c36b1a6d912657364e9f83730c82b94673c8bab4130c26c417ff668b3a19abccfb360855d2d374ed8ddff

memory/2540-21-0x0000000074110000-0x00000000746BB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 05:45

Reported

2024-01-25 05:47

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe

"C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe"

C:\Users\Admin\AppData\Local\Temp\Payload.exe

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
N/A 172.20.6.206:1992 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 172.20.6.206:1992 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
N/A 172.20.6.206:1992 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
N/A 172.20.6.206:1992 tcp
N/A 172.20.6.206:1992 tcp
N/A 172.20.6.206:1992 tcp

Files

memory/1960-1-0x0000000001090000-0x00000000010A0000-memory.dmp

memory/1960-0-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/1960-2-0x0000000074DD0000-0x0000000075381000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 a5ad2d1796744144d739569bb466b307
SHA1 42de0164c8cbd9b6c64100de720d2e0c49ebcb77
SHA256 d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9
SHA512 45fa09478a871a75f4650a56529632bfddf93990819c6d5212753325305a7946c631076897b13e62297136ae26db064fef701dea23453ea504b4c2517d5e74b9

memory/1960-14-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/60-15-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/60-16-0x0000000000D50000-0x0000000000D60000-memory.dmp

memory/60-18-0x0000000074DD0000-0x0000000075381000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

MD5 b565b6f7a706fa0e6f1a618d53af840a
SHA1 a2dcefc8f9bf6ffc89c3e9dba9ba582a4dc0c47f
SHA256 e2be89378f1677a386e8641949f4af149db4947d04ff320e256a5c0b39d683cb
SHA512 11755649cf70808de39fd6f3a20559feebad8e7344bbd5c10de0d285ded97d8570c9e01b2834eb80c6e3179abc6bec2d9bbd4dc4e24dd94fb981fd6c9caf28fe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

MD5 1cf416d26fcaa9ac44cde97b4071c2c1
SHA1 2f49d770b79359232d9b8ad9609bcab9bc8489a1
SHA256 298bf368286c7dfa7b8cd2774d93811fea422c38b37b79c4049fb38fbfa49da0
SHA512 d4a92f2051d7bb5ec5dfd5cce038202cab2a75fad83238c914ce0e1d4db66b36bd2b8302451035e6e9cbf8160965e180f91af0ffea9772c28e0a4aa9a4171bcf

memory/60-23-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/60-24-0x0000000000D50000-0x0000000000D60000-memory.dmp