Malware Analysis Report

2025-03-15 06:25

Sample ID 240125-ghn7qsaaen
Target d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe
SHA256 d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9
Tags
njrat hacked persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9

Threat Level: Known bad

The file d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe was found to be: Known bad.

Malicious Activity Summary

njrat hacked persistence trojan

Njrat family

njRAT/Bladabindi

Drops startup file

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 05:48

Signatures

Njrat family

njrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 05:48

Reported

2024-01-25 05:51

Platform

win7-20231215-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 1708 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 1708 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 1708 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 1708 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe C:\Windows\SysWOW64\attrib.exe
PID 1708 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe C:\Windows\SysWOW64\attrib.exe
PID 1708 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe C:\Windows\SysWOW64\attrib.exe
PID 1708 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe

"C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe"

C:\Users\Admin\AppData\Local\Temp\Payload.exe

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"

Network

Country Destination Domain Proto
N/A 172.20.6.206:1992 tcp
N/A 172.20.6.206:1992 tcp
N/A 172.20.6.206:1992 tcp
N/A 172.20.6.206:1992 tcp
N/A 172.20.6.206:1992 tcp
N/A 172.20.6.206:1992 tcp

Files

memory/1708-0-0x0000000074E90000-0x000000007543B000-memory.dmp

memory/1708-1-0x0000000000BC0000-0x0000000000C00000-memory.dmp

memory/1708-2-0x0000000074E90000-0x000000007543B000-memory.dmp

\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 a5ad2d1796744144d739569bb466b307
SHA1 42de0164c8cbd9b6c64100de720d2e0c49ebcb77
SHA256 d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9
SHA512 45fa09478a871a75f4650a56529632bfddf93990819c6d5212753325305a7946c631076897b13e62297136ae26db064fef701dea23453ea504b4c2517d5e74b9

memory/2384-13-0x0000000074E90000-0x000000007543B000-memory.dmp

memory/2384-14-0x00000000009D0000-0x0000000000A10000-memory.dmp

memory/1708-12-0x0000000074E90000-0x000000007543B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

MD5 387937c39ce58e167c8ba732bd92931a
SHA1 d31fb8d416efd34f9b965115edb54917e778f63f
SHA256 b3b40e302cb318abff9736936e3e8e02953aeb8949c686a4e0583880ecfa51cc
SHA512 e9265317d845d61e1cdc81942e1e37caa2ab9af7f6de6396610929bc56860d7f1fea9f39636d89885b417c49a4205fe2b322921997f3ef6040a1286df0d734e8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

MD5 93b3ed8bc82c8b93c3aaa87b9d984542
SHA1 1b01bbe3f7aef5a5114b3142c42cd4d9f694928b
SHA256 366b5a32bc0bec7ce9b4e97179ea7062ed9b20e9f04807b3fb44790757019d24
SHA512 75d176a38fc1f54e14ec97aa1daf7b753e4a89c189df2777d0304f68835370896757646cd49cfbc7796437559cb18fe88135807e6bd2d3f8a37c2b9c65c8d781

memory/2384-20-0x0000000074E90000-0x000000007543B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 05:48

Reported

2024-01-25 05:51

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe

"C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe"

C:\Users\Admin\AppData\Local\Temp\Payload.exe

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
N/A 172.20.6.206:1992 tcp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
N/A 172.20.6.206:1992 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
N/A 172.20.6.206:1992 tcp
N/A 172.20.6.206:1992 tcp
N/A 172.20.6.206:1992 tcp

Files

memory/3924-0-0x0000000075490000-0x0000000075A41000-memory.dmp

memory/3924-1-0x0000000075490000-0x0000000075A41000-memory.dmp

memory/3924-2-0x00000000014A0000-0x00000000014B0000-memory.dmp

memory/3924-5-0x0000000075490000-0x0000000075A41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 a5ad2d1796744144d739569bb466b307
SHA1 42de0164c8cbd9b6c64100de720d2e0c49ebcb77
SHA256 d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9
SHA512 45fa09478a871a75f4650a56529632bfddf93990819c6d5212753325305a7946c631076897b13e62297136ae26db064fef701dea23453ea504b4c2517d5e74b9

memory/4900-14-0x0000000075490000-0x0000000075A41000-memory.dmp

memory/4900-15-0x00000000011C0000-0x00000000011D0000-memory.dmp

memory/4900-17-0x0000000075490000-0x0000000075A41000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

MD5 371e9f5c5222743275e228f1b3d27fb1
SHA1 31b0a7ada0ee8c593d1f7d4b8fa3f830566a5fd6
SHA256 5684b6a81a92bef5cd5eb049a0e905dc99e7db95d907443f182614b9b48602f1
SHA512 14f203f243e9c69a3b3e1beaf8599d5cd0f18627e446a3beac78cb611bb4259ffb4c47ece4da3d3ff4ee1dd01aa379b081a3548844070d3b7312f56d22ffc78f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

MD5 a0e21c3cda955b529c05da3ebc737559
SHA1 7cede9bd6a34b2ddb326c3733057cf76b11e3d45
SHA256 b34c6f792079e84046ce8c2049f6f233e6c235f025770a028dfc8d57bc54af8c
SHA512 e37365ed423d523ca996460ab7adab0a19923906413d22cccde2f1ce144ea25deef5e1a2a6d3cc8580952ebd58438f36f5eb2cb82348e1e3d126fa248d5fc18a

memory/3924-19-0x0000000075490000-0x0000000075A41000-memory.dmp

memory/4900-24-0x0000000075490000-0x0000000075A41000-memory.dmp

memory/4900-25-0x00000000011C0000-0x00000000011D0000-memory.dmp

memory/4900-26-0x0000000075490000-0x0000000075A41000-memory.dmp