Malware Analysis Report

2025-01-22 14:01

Sample ID 240227-htwxdsbe5t
Target a88675b6bd37faff8ac76d0b3dd15cca
SHA256 d628e7a54d5069605f2e2b3226818d2f3343973b87e1e4a15943c9792e7f1d97
Tags
hacked njrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d628e7a54d5069605f2e2b3226818d2f3343973b87e1e4a15943c9792e7f1d97

Threat Level: Known bad

The file a88675b6bd37faff8ac76d0b3dd15cca was found to be: Known bad.

Malicious Activity Summary

hacked njrat persistence trojan

njRAT/Bladabindi

Njrat family

Drops startup file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 07:02

Signatures

Njrat family

njrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 07:02

Reported

2024-02-27 07:04

Platform

win7-20240221-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a88675b6bd37faff8ac76d0b3dd15cca.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\a88675b6bd37faff8ac76d0b3dd15cca.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\ProgramData\Payload.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\ProgramData\Payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\ProgramData\Payload.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Payload.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a88675b6bd37faff8ac76d0b3dd15cca.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\ProgramData\\Payload.exe" C:\Users\Admin\AppData\Local\Temp\a88675b6bd37faff8ac76d0b3dd15cca.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\ProgramData\Payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\ProgramData\Payload.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\ProgramData\Payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\ProgramData\Payload.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a88675b6bd37faff8ac76d0b3dd15cca.exe C:\ProgramData\Payload.exe
PID 2412 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a88675b6bd37faff8ac76d0b3dd15cca.exe C:\ProgramData\Payload.exe
PID 2412 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a88675b6bd37faff8ac76d0b3dd15cca.exe C:\ProgramData\Payload.exe
PID 2412 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a88675b6bd37faff8ac76d0b3dd15cca.exe C:\ProgramData\Payload.exe
PID 2412 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a88675b6bd37faff8ac76d0b3dd15cca.exe C:\Windows\SysWOW64\attrib.exe
PID 2412 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a88675b6bd37faff8ac76d0b3dd15cca.exe C:\Windows\SysWOW64\attrib.exe
PID 2412 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a88675b6bd37faff8ac76d0b3dd15cca.exe C:\Windows\SysWOW64\attrib.exe
PID 2412 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a88675b6bd37faff8ac76d0b3dd15cca.exe C:\Windows\SysWOW64\attrib.exe
PID 2600 wrote to memory of 2508 N/A C:\ProgramData\Payload.exe C:\Windows\SysWOW64\attrib.exe
PID 2600 wrote to memory of 2508 N/A C:\ProgramData\Payload.exe C:\Windows\SysWOW64\attrib.exe
PID 2600 wrote to memory of 2508 N/A C:\ProgramData\Payload.exe C:\Windows\SysWOW64\attrib.exe
PID 2600 wrote to memory of 2508 N/A C:\ProgramData\Payload.exe C:\Windows\SysWOW64\attrib.exe
PID 2600 wrote to memory of 2680 N/A C:\ProgramData\Payload.exe C:\Windows\SysWOW64\attrib.exe
PID 2600 wrote to memory of 2680 N/A C:\ProgramData\Payload.exe C:\Windows\SysWOW64\attrib.exe
PID 2600 wrote to memory of 2680 N/A C:\ProgramData\Payload.exe C:\Windows\SysWOW64\attrib.exe
PID 2600 wrote to memory of 2680 N/A C:\ProgramData\Payload.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a88675b6bd37faff8ac76d0b3dd15cca.exe

"C:\Users\Admin\AppData\Local\Temp\a88675b6bd37faff8ac76d0b3dd15cca.exe"

C:\ProgramData\Payload.exe

"C:\ProgramData\Payload.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\ProgramData\Payload.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sific227asmm.ddns.net udp

Files

memory/2412-0-0x0000000074980000-0x0000000074F2B000-memory.dmp

memory/2412-2-0x0000000000B80000-0x0000000000BC0000-memory.dmp

memory/2412-1-0x0000000074980000-0x0000000074F2B000-memory.dmp

\ProgramData\Payload.exe

MD5 a88675b6bd37faff8ac76d0b3dd15cca
SHA1 acca891f9da218eaee8cc79ad22909efba3575a6
SHA256 d628e7a54d5069605f2e2b3226818d2f3343973b87e1e4a15943c9792e7f1d97
SHA512 c671cadd2e649a4ee46f4020134b7129818582c1baf8253b70a29214e85da03710d59761a641339697152adad0e23aea5e5cdd42f59c91fe7f94c153783c2dd9

memory/2600-14-0x0000000001E50000-0x0000000001E90000-memory.dmp

memory/2412-13-0x0000000074980000-0x0000000074F2B000-memory.dmp

memory/2600-12-0x0000000074980000-0x0000000074F2B000-memory.dmp

memory/2600-15-0x0000000074980000-0x0000000074F2B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

MD5 28a46695f1905743a1cc6e916e6d4e88
SHA1 e9ddca1369de455678683e5169277f9367a6ada3
SHA256 402e4fd00f1d041f56948583b4ba0dd7480b39475b73bb36c5f2a45627fd6ff8
SHA512 bc63d606d284239d698978173e1853dc6026359b864d392cad41b6146f827be4945af08c6805dc91430ed1a278bd4bfaad6e80d6ffe25c8be57a9ef48859e1b0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

MD5 81ab3cf8764229b4223307abb641f36d
SHA1 c691b457462eb7c64b9785080b65c8bf83e4e812
SHA256 1358ee811f779e1e348a30b105e2e3c30bb24eba43b0b60e53e6e404310f7f8a
SHA512 2475aaa3d57ff6536d7dd84bd564147172138cff984bef610855e25601b2264ecd9e0911530d3aeb1f876635d21abb92909a4714bf8bb7c34350ce0d255bfa26

memory/2600-22-0x0000000074980000-0x0000000074F2B000-memory.dmp

memory/2600-23-0x0000000074980000-0x0000000074F2B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 07:02

Reported

2024-02-27 07:04

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a88675b6bd37faff8ac76d0b3dd15cca.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a88675b6bd37faff8ac76d0b3dd15cca.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\ProgramData\Payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\ProgramData\Payload.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\a88675b6bd37faff8ac76d0b3dd15cca.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\ProgramData\Payload.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Payload.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\ProgramData\\Payload.exe" C:\Users\Admin\AppData\Local\Temp\a88675b6bd37faff8ac76d0b3dd15cca.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\ProgramData\Payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\ProgramData\Payload.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\ProgramData\Payload.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\ProgramData\Payload.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A
Token: 33 N/A C:\ProgramData\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Payload.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a88675b6bd37faff8ac76d0b3dd15cca.exe

"C:\Users\Admin\AppData\Local\Temp\a88675b6bd37faff8ac76d0b3dd15cca.exe"

C:\ProgramData\Payload.exe

"C:\ProgramData\Payload.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\ProgramData\Payload.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 sific227asmm.ddns.net udp
US 8.8.8.8:53 sific227asmm.ddns.net udp
US 8.8.8.8:53 sific227asmm.ddns.net udp
US 8.8.8.8:53 sific227asmm.ddns.net udp
US 8.8.8.8:53 sific227asmm.ddns.net udp
US 8.8.8.8:53 sific227asmm.ddns.net udp
US 8.8.8.8:53 sific227asmm.ddns.net udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 sific227asmm.ddns.net udp
US 8.8.8.8:53 sific227asmm.ddns.net udp
US 8.8.8.8:53 sific227asmm.ddns.net udp
US 8.8.8.8:53 sific227asmm.ddns.net udp
US 8.8.8.8:53 sific227asmm.ddns.net udp
US 8.8.8.8:53 sific227asmm.ddns.net udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 sific227asmm.ddns.net udp
US 8.8.8.8:53 sific227asmm.ddns.net udp
US 8.8.8.8:53 sific227asmm.ddns.net udp
US 8.8.8.8:53 sific227asmm.ddns.net udp
US 8.8.8.8:53 sific227asmm.ddns.net udp
US 8.8.8.8:53 sific227asmm.ddns.net udp
US 8.8.8.8:53 sific227asmm.ddns.net udp
US 8.8.8.8:53 sific227asmm.ddns.net udp
US 8.8.8.8:53 sific227asmm.ddns.net udp

Files

memory/4784-0-0x0000000074B20000-0x00000000750D1000-memory.dmp

memory/4784-1-0x0000000074B20000-0x00000000750D1000-memory.dmp

memory/4784-2-0x0000000001380000-0x0000000001390000-memory.dmp

C:\ProgramData\Payload.exe

MD5 a88675b6bd37faff8ac76d0b3dd15cca
SHA1 acca891f9da218eaee8cc79ad22909efba3575a6
SHA256 d628e7a54d5069605f2e2b3226818d2f3343973b87e1e4a15943c9792e7f1d97
SHA512 c671cadd2e649a4ee46f4020134b7129818582c1baf8253b70a29214e85da03710d59761a641339697152adad0e23aea5e5cdd42f59c91fe7f94c153783c2dd9

memory/4784-14-0x0000000074B20000-0x00000000750D1000-memory.dmp

memory/1620-15-0x0000000074B20000-0x00000000750D1000-memory.dmp

memory/1620-16-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

MD5 82308d8a6d43b962b17e22f0a0b5c03a
SHA1 4b5353ba7e3d37b4be5a2340de1022d26f35300d
SHA256 9fd096067d5afb2ffd41a8bbba2c9c1b759d143113c0871affa3c21d9e257ca1
SHA512 677b261a1544e2e8c24ebd71b31de64560d0f447bb3eca4e3ef108edcff3a492b23242680b9020884daf7deda15a02befd005343c217b2920327390a16fa918a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

MD5 1feed5785388ea77f430850910e8d554
SHA1 1b6a7244cfc9d770e6e40cbb79eed32775864aca
SHA256 40bc3728178c73ddbe43dd4f4d0b3fb093fbc9a079f228a15355661b57be471e
SHA512 4286775cf095f1948041042ff498ff55c5aa7e3fabe4cf0a92cc7ad0c3d7ed69aff748aebe1eeab78e20028b785d1b42603de21b070a6a735ee3bcc99d5a63f8

memory/1620-18-0x0000000074B20000-0x00000000750D1000-memory.dmp

memory/1620-24-0x0000000074B20000-0x00000000750D1000-memory.dmp

memory/1620-25-0x0000000000DE0000-0x0000000000DF0000-memory.dmp