Malware Analysis Report

2025-01-22 13:51

Sample ID 240826-etc8hawcjp
Target c242bac618a98fbdf79b132d9f871da6_JaffaCakes118
SHA256 dd467bd3bee317a8a56ce6a835fd117acee48eb6f3eaf8fc978358e1696f454b
Tags
njrat hacked discovery persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd467bd3bee317a8a56ce6a835fd117acee48eb6f3eaf8fc978358e1696f454b

Threat Level: Known bad

The file c242bac618a98fbdf79b132d9f871da6_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

njrat hacked discovery persistence trojan

njRAT/Bladabindi

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Drops startup file

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-26 04:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-26 04:13

Reported

2024-08-26 04:16

Platform

win7-20240705-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Audio Realtek Driver.exe" C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe
PID 3056 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe
PID 3056 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe
PID 3056 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe
PID 3056 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe
PID 3056 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe
PID 3056 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe
PID 3056 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe
PID 3056 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe
PID 2520 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 2520 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 2520 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 2520 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 2520 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Windows\SysWOW64\attrib.exe
PID 2520 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Windows\SysWOW64\attrib.exe
PID 2520 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Windows\SysWOW64\attrib.exe
PID 2520 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Windows\SysWOW64\attrib.exe
PID 2792 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 2792 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 2792 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 2792 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 2792 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 2792 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 2792 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 2792 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 2792 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 2712 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 2712 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 2712 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 2712 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 2712 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 2712 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 2712 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 2712 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe

"C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe"

C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe

"C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 anunankis1.duckdns.org udp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
US 8.8.8.8:53 anunankis1.duckdns.org udp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
US 8.8.8.8:53 anunankis1.duckdns.org udp
US 8.8.8.8:53 anunankis1.duckdns.org udp

Files

memory/3056-0-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

memory/3056-1-0x0000000000D00000-0x0000000000D32000-memory.dmp

memory/3056-2-0x0000000000260000-0x0000000000268000-memory.dmp

memory/2520-6-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2520-5-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2520-3-0x0000000000400000-0x000000000040E000-memory.dmp

memory/3056-14-0x0000000074A70000-0x000000007515E000-memory.dmp

memory/2520-13-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2520-15-0x00000000749F0000-0x00000000750DE000-memory.dmp

memory/2520-11-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2520-4-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2520-9-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2520-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe

MD5 c242bac618a98fbdf79b132d9f871da6
SHA1 42f9fac0c01ab04b2b93db0854ba08d9620a0c64
SHA256 dd467bd3bee317a8a56ce6a835fd117acee48eb6f3eaf8fc978358e1696f454b
SHA512 7e32d8a4f143be4269ef08fb03b2e24bb2b58ca7ad6e631d0f51e69177c1ac48fb4fdee7b2183a095c5ca502bfabd0db05b08f307a97d7e5b1a7f5da33103a5e

memory/2712-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

MD5 e29984bfd869bc347dd39e31f7080512
SHA1 1e5b8ec21b3f5848d6f2da64cfcc627051ff4221
SHA256 dc04d13d700e6ebb949c3be4bf1912093c7fe3b824fa0e871492d3f6ff59895d
SHA512 1e529d1d59cd401bcdf3289bb1ab4ce45833bdfb7c8f526c62a247cebfb7e0c3f42b1cb0eb10ef0c3404f7c00605968573e90a074d34334303b8ef88eebcc42d

memory/2792-25-0x0000000000140000-0x0000000000172000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

MD5 cfbea2a4eff28b9f169484344d53c95e
SHA1 33c20ba7a198b06f46b7929499cde942ac14188c
SHA256 910f446caba515d57e848c5c84a08c0a3053b226d1c05141783635fb62561edd
SHA512 4bfce1b0a16f8bfcf8a06bfa1c8f81969a6725de9182c64aee555a9f7c2f3391878405b8f0aa03c0c2f562ed391ffcbc78b0997248597bae5323b0ec397a94df

memory/2520-44-0x00000000749F0000-0x00000000750DE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-26 04:13

Reported

2024-08-26 04:16

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Audio Realtek Driver.exe" C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 952 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe
PID 952 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe
PID 952 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe
PID 952 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe
PID 952 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe
PID 952 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe
PID 952 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe
PID 952 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe
PID 3372 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 3372 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 3372 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 3372 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Windows\SysWOW64\attrib.exe
PID 3372 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Windows\SysWOW64\attrib.exe
PID 3372 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe C:\Windows\SysWOW64\attrib.exe
PID 4008 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 4008 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 4008 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 4008 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 4008 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 4008 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 4008 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 4008 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
PID 2480 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 2480 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 2480 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 2480 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 2480 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe
PID 2480 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe

"C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe"

C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe

"C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 anunankis1.duckdns.org udp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
US 8.8.8.8:53 anunankis1.duckdns.org udp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp
US 8.8.8.8:53 anunankis1.duckdns.org udp
ES 83.213.157.103:1515 anunankis1.duckdns.org tcp

Files

memory/952-0-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

memory/952-1-0x0000000000FA0000-0x0000000000FD2000-memory.dmp

memory/952-2-0x0000000003230000-0x0000000003238000-memory.dmp

memory/3372-3-0x0000000000400000-0x000000000040E000-memory.dmp

memory/952-6-0x0000000074D10000-0x00000000754C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\c242bac618a98fbdf79b132d9f871da6_JaffaCakes118.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/3372-7-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/3372-8-0x00000000055A0000-0x000000000563C000-memory.dmp

memory/952-12-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/3372-11-0x0000000006310000-0x00000000068B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe

MD5 c242bac618a98fbdf79b132d9f871da6
SHA1 42f9fac0c01ab04b2b93db0854ba08d9620a0c64
SHA256 dd467bd3bee317a8a56ce6a835fd117acee48eb6f3eaf8fc978358e1696f454b
SHA512 7e32d8a4f143be4269ef08fb03b2e24bb2b58ca7ad6e631d0f51e69177c1ac48fb4fdee7b2183a095c5ca502bfabd0db05b08f307a97d7e5b1a7f5da33103a5e

memory/4008-24-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/3372-25-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/4008-28-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/2480-31-0x0000000074D10000-0x00000000754C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

MD5 8388b80ba5c504d28885bc52ef0bad9d
SHA1 c884b5be8bd9a2a7df9db3ef14e6e9bae1569221
SHA256 2f9a2aa35cbbeb4bbdd4c376678712c0126d2300b1c4ff4f741efa7ded7b5d38
SHA512 56d4a496dd7dbac2d0fc70de2cc1320006d193172f55e3b626ff42897396d3b68a368bca1cffd34b9aca71b3ccf9aec182575e7aed9864c107e16f8798d26597

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

MD5 8a5f7f7b0f46000b7b7b6be954ea60fa
SHA1 981765dc773f2a3b7a95da85c1a74e85e8d9ecb6
SHA256 5863f36778fd0e72b6c10b14a9e5c5008b7bdd9f7a27684554b7bddf8b6f181e
SHA512 39a089d86ab318bb7a9104c79027fb1f9288043e453dce684907212f7c10df37e4684c530c09816ceae72d5129e638160e7eea132f052ec93a135e6d63f2b250

memory/2480-36-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/2480-37-0x0000000006120000-0x00000000061B2000-memory.dmp

memory/2480-38-0x0000000006100000-0x000000000610A000-memory.dmp