Malware Analysis Report

2025-08-05 15:31

Sample ID 240203-tdgnbafdaj
Target RvcDownloader.exe
SHA256 604d490b9d5dfff01c9fceb085798c6b42f5778c9f125457be654dc4f436ab04
Tags
njrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

604d490b9d5dfff01c9fceb085798c6b42f5778c9f125457be654dc4f436ab04

Threat Level: Known bad

The file RvcDownloader.exe was found to be: Known bad.

Malicious Activity Summary

njrat persistence trojan

njRAT/Bladabindi

Executes dropped EXE

Checks computer location settings

Drops startup file

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-03 15:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-03 15:56

Reported

2024-02-03 15:59

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RvcDownloader.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RvcDownloader.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\java update.exe C:\Windows\system32\taskmgr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Dllhost.exe\" .." C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Dllhost.exe\" .." C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 2.tcp.eu.ngrok.io N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RvcDownloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3100 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\RvcDownloader.exe C:\Users\Admin\AppData\Local\Temp\Dllhost.exe
PID 3100 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\RvcDownloader.exe C:\Users\Admin\AppData\Local\Temp\Dllhost.exe
PID 3100 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\RvcDownloader.exe C:\Users\Admin\AppData\Local\Temp\Dllhost.exe
PID 1616 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1616 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1616 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\Dllhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 4976 wrote to memory of 4572 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 4976 wrote to memory of 4572 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 4976 wrote to memory of 4572 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Program Files (x86)\Windows Media Player\setup_wm.exe
PID 4976 wrote to memory of 208 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 4976 wrote to memory of 208 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 4976 wrote to memory of 208 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 208 wrote to memory of 1548 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe
PID 208 wrote to memory of 1548 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RvcDownloader.exe

"C:\Users\Admin\AppData\Local\Temp\RvcDownloader.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Local\Temp\Dllhost.exe

"C:\Users\Admin\AppData\Local\Temp\Dllhost.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe

C:\Users\Admin\AppData\Local\Temp\Server.exe

C:\Users\Admin\AppData\Local\Temp/Server.exe

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding

C:\Program Files (x86)\Windows Media Player\setup_wm.exe

"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

C:\Users\Admin\AppData\Local\Temp\Server.exe

C:\Users\Admin\AppData\Local\Temp/Server.exe

C:\Users\Admin\AppData\Local\Temp\Server.exe

C:\Users\Admin\AppData\Local\Temp/Server.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 3.127.138.57:13538 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 57.138.127.3.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 wmploc.dll udp
DE 3.127.138.57:13538 2.tcp.eu.ngrok.io tcp
DE 3.127.138.57:13538 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 72.239.69.13.in-addr.arpa udp

Files

memory/3100-0-0x0000000000220000-0x0000000000594000-memory.dmp

memory/3100-2-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/3100-1-0x0000000000220000-0x0000000000594000-memory.dmp

memory/3100-3-0x0000000005750000-0x00000000057EC000-memory.dmp

memory/3100-4-0x0000000002F40000-0x0000000002F50000-memory.dmp

memory/3100-5-0x0000000005FA0000-0x0000000006544000-memory.dmp

memory/3100-6-0x0000000005A90000-0x0000000005B22000-memory.dmp

memory/2760-7-0x000001F5B16C0000-0x000001F5B16C1000-memory.dmp

memory/2760-8-0x000001F5B16C0000-0x000001F5B16C1000-memory.dmp

memory/2760-9-0x000001F5B16C0000-0x000001F5B16C1000-memory.dmp

memory/2760-13-0x000001F5B16C0000-0x000001F5B16C1000-memory.dmp

memory/2760-14-0x000001F5B16C0000-0x000001F5B16C1000-memory.dmp

memory/2760-15-0x000001F5B16C0000-0x000001F5B16C1000-memory.dmp

memory/2760-16-0x000001F5B16C0000-0x000001F5B16C1000-memory.dmp

memory/2760-17-0x000001F5B16C0000-0x000001F5B16C1000-memory.dmp

memory/2760-18-0x000001F5B16C0000-0x000001F5B16C1000-memory.dmp

memory/2760-19-0x000001F5B16C0000-0x000001F5B16C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dllhost.exe

MD5 7f6ce9a396cae9d375cb1a56de268b84
SHA1 4129cc4492f057cc2ec78c195c1badd7ab3d9c65
SHA256 604d490b9d5dfff01c9fceb085798c6b42f5778c9f125457be654dc4f436ab04
SHA512 e3cfe5afbde8b7889767cd9556ddbff2a3652ab139f06f02ec27cbd638d05604b3cbd5dcc2732a62750ced77d32eeab69b92e7eca38fe434121611c8775c314d

C:\Users\Admin\AppData\Local\Temp\Dllhost.exe

MD5 f41faa9212ef320eb6ed1aeac222ab93
SHA1 1c111b75d430e33aeba08666664e4fa0930ed463
SHA256 575ae4898ca0e80cca0e88c595d96ca20501cdfc3bd3908e8bc8d546e70718a4
SHA512 d1c8709b64ba7b76477bb2d20185603f4aa0fc9eeb538339f64f6f2e979d540f43f0c06ae0cecf7a1b236a4c1ef6c836308d6b872ea35783efb38e1cf6105d4b

memory/1616-30-0x00000000000A0000-0x0000000000414000-memory.dmp

memory/3100-31-0x0000000000220000-0x0000000000594000-memory.dmp

memory/3100-32-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/1616-33-0x00000000000A0000-0x0000000000414000-memory.dmp

memory/1616-34-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/1616-35-0x00000000000A0000-0x0000000000414000-memory.dmp

memory/1616-36-0x0000000005500000-0x0000000005510000-memory.dmp

memory/3560-43-0x0000000000C60000-0x0000000000FD4000-memory.dmp

memory/3560-44-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/3560-45-0x0000000000C60000-0x0000000000FD4000-memory.dmp

memory/3560-46-0x0000000000C60000-0x0000000000FD4000-memory.dmp

memory/3560-47-0x0000000005D00000-0x0000000005D10000-memory.dmp

memory/3560-50-0x0000000000C60000-0x0000000000FD4000-memory.dmp

memory/3560-51-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/1616-52-0x00000000000A0000-0x0000000000414000-memory.dmp

memory/1616-53-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/1616-54-0x00000000054E0000-0x00000000054EA000-memory.dmp

memory/1616-55-0x0000000005830000-0x0000000005896000-memory.dmp

memory/1616-56-0x00000000068B0000-0x00000000068C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 6598555afb4ddb6dd093adadce301469
SHA1 fce7ec371800175602a615abf24469abf6073c8a
SHA256 b4906cebbf6d4ebeddab263c7c32fea23ed13a9cb8204162f72e196f13b424eb
SHA512 7b30ea0edaa4d281c1176506ebbdd659c51473b64aac61c444aa09b40264d4112ed5ae88796ccd98ec89d94bd33f05839f793b818858c62d275ae8c8e864147a

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 fc240c081ec382df4b74d591d7d37a45
SHA1 396e9d8accb2ff8b32e6c3957808cb87d23ad47c
SHA256 8cfeb277627a0fc9f2596c83dc37f9a3d8871293cd88dadd08f32098bf936038
SHA512 d8f83773c330b88b43f9ebc6220aa98368854e44a75b73a8575e7171f6c32e784d404e5a2e2e7787d3c71c0cfecdbb983631b639d9fee879b374d498d2ef0ab7

memory/1616-92-0x0000000006AF0000-0x0000000006AFA000-memory.dmp

memory/1616-94-0x0000000018990000-0x000000001899C000-memory.dmp

memory/1616-95-0x0000000005500000-0x0000000005510000-memory.dmp

memory/1616-96-0x0000000005500000-0x0000000005510000-memory.dmp

memory/1616-100-0x0000000005500000-0x0000000005510000-memory.dmp

memory/1616-101-0x0000000005500000-0x0000000005510000-memory.dmp

memory/656-104-0x0000000000C60000-0x0000000000FD4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Server.exe.log

MD5 25d1b50e7c0d451f3d850eb54d27ca05
SHA1 a238807715c70a335f54e80d4855644b21a9e870
SHA256 650faa13e983c9046c9030f63a5fa1c33900432ec7cb3762e015da2e7c5b34a5
SHA512 4223a26b2fabefdf1c01443ccc7bd887464d27f02694379895a040c66db472d541218d501f1c01e1bd31012d079a31baf24e20882c32cf652a09a74e3bf385f5

memory/656-106-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/656-107-0x0000000000C60000-0x0000000000FD4000-memory.dmp

memory/656-108-0x0000000005E30000-0x0000000005E40000-memory.dmp

memory/656-110-0x0000000000C60000-0x0000000000FD4000-memory.dmp

memory/656-111-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/5040-119-0x0000000000C60000-0x0000000000FD4000-memory.dmp

memory/5040-120-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/5040-121-0x0000000000C60000-0x0000000000FD4000-memory.dmp

memory/5040-122-0x0000000000C60000-0x0000000000FD4000-memory.dmp

memory/5040-123-0x00000000060A0000-0x00000000060B0000-memory.dmp

memory/5040-125-0x0000000000C60000-0x0000000000FD4000-memory.dmp

memory/5040-126-0x0000000074A00000-0x00000000751B0000-memory.dmp