Malware Analysis Report

2024-11-30 21:28

Sample ID 240106-p5g1yaggar
Target 4647f6c6c11587bde0cedcba2978fd35
SHA256 38e7da5c6e7f9cc6466cba7c8312aa0df55bd4ccb908dbe5a9cb31823f564d32
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

38e7da5c6e7f9cc6466cba7c8312aa0df55bd4ccb908dbe5a9cb31823f564d32

Threat Level: Known bad

The file 4647f6c6c11587bde0cedcba2978fd35 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-06 12:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-06 12:54

Reported

2024-01-06 12:57

Platform

win7-20231215-en

Max time kernel

29s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4647f6c6c11587bde0cedcba2978fd35.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\aB2x\TpmInit.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\QO8dVnA\raserver.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\wdzn\SystemPropertiesPerformance.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\h7mh9dM2q\\raserver.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\aB2x\TpmInit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\QO8dVnA\raserver.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wdzn\SystemPropertiesPerformance.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2748 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1200 wrote to memory of 2748 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1200 wrote to memory of 2748 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1200 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\aB2x\TpmInit.exe
PID 1200 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\aB2x\TpmInit.exe
PID 1200 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\aB2x\TpmInit.exe
PID 1200 wrote to memory of 2936 N/A N/A C:\Windows\system32\raserver.exe
PID 1200 wrote to memory of 2936 N/A N/A C:\Windows\system32\raserver.exe
PID 1200 wrote to memory of 2936 N/A N/A C:\Windows\system32\raserver.exe
PID 1200 wrote to memory of 3048 N/A N/A C:\Users\Admin\AppData\Local\QO8dVnA\raserver.exe
PID 1200 wrote to memory of 3048 N/A N/A C:\Users\Admin\AppData\Local\QO8dVnA\raserver.exe
PID 1200 wrote to memory of 3048 N/A N/A C:\Users\Admin\AppData\Local\QO8dVnA\raserver.exe
PID 1200 wrote to memory of 1972 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 1200 wrote to memory of 1972 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 1200 wrote to memory of 1972 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 1200 wrote to memory of 2000 N/A N/A C:\Users\Admin\AppData\Local\wdzn\SystemPropertiesPerformance.exe
PID 1200 wrote to memory of 2000 N/A N/A C:\Users\Admin\AppData\Local\wdzn\SystemPropertiesPerformance.exe
PID 1200 wrote to memory of 2000 N/A N/A C:\Users\Admin\AppData\Local\wdzn\SystemPropertiesPerformance.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4647f6c6c11587bde0cedcba2978fd35.dll,#1

C:\Users\Admin\AppData\Local\aB2x\TpmInit.exe

C:\Users\Admin\AppData\Local\aB2x\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Users\Admin\AppData\Local\QO8dVnA\raserver.exe

C:\Users\Admin\AppData\Local\QO8dVnA\raserver.exe

C:\Windows\system32\raserver.exe

C:\Windows\system32\raserver.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\wdzn\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\wdzn\SystemPropertiesPerformance.exe

Network

N/A

Files

memory/2248-1-0x0000000000330000-0x0000000000337000-memory.dmp

memory/2248-0-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-4-0x0000000077526000-0x0000000077527000-memory.dmp

memory/1200-11-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-23-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-35-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-42-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-47-0x0000000002B50000-0x0000000002B57000-memory.dmp

memory/1200-51-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-53-0x0000000077790000-0x0000000077792000-memory.dmp

memory/1200-52-0x0000000077631000-0x0000000077632000-memory.dmp

memory/1200-62-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-68-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3052-85-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3052-81-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3052-80-0x00000000006B0000-0x00000000006B7000-memory.dmp

memory/1200-72-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-43-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-41-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-40-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-39-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-38-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-37-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-36-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-34-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-33-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-32-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-31-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-30-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-29-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-28-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-27-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-26-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-25-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3048-106-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1200-24-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-22-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-21-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-20-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-19-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-18-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-17-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-16-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-15-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-14-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-13-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-12-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-10-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-9-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/2248-8-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1200-7-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/2000-128-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1200-5-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/1200-149-0x0000000077526000-0x0000000077527000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-06 12:54

Reported

2024-01-06 12:57

Platform

win10v2004-20231215-en

Max time kernel

133s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4647f6c6c11587bde0cedcba2978fd35.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ddiqrdu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\LDR\\mfpmp.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ZRUWQm4x\Magnify.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\cSkAffSFP\mfpmp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\VTijs77\LockScreenContentServer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3356 wrote to memory of 4088 N/A N/A C:\Windows\system32\Magnify.exe
PID 3356 wrote to memory of 4088 N/A N/A C:\Windows\system32\Magnify.exe
PID 3356 wrote to memory of 2600 N/A N/A C:\Users\Admin\AppData\Local\ZRUWQm4x\Magnify.exe
PID 3356 wrote to memory of 2600 N/A N/A C:\Users\Admin\AppData\Local\ZRUWQm4x\Magnify.exe
PID 3356 wrote to memory of 4500 N/A N/A C:\Windows\system32\mfpmp.exe
PID 3356 wrote to memory of 4500 N/A N/A C:\Windows\system32\mfpmp.exe
PID 3356 wrote to memory of 4048 N/A N/A C:\Users\Admin\AppData\Local\cSkAffSFP\mfpmp.exe
PID 3356 wrote to memory of 4048 N/A N/A C:\Users\Admin\AppData\Local\cSkAffSFP\mfpmp.exe
PID 3356 wrote to memory of 4880 N/A N/A C:\Windows\system32\LockScreenContentServer.exe
PID 3356 wrote to memory of 4880 N/A N/A C:\Windows\system32\LockScreenContentServer.exe
PID 3356 wrote to memory of 3760 N/A N/A C:\Users\Admin\AppData\Local\VTijs77\LockScreenContentServer.exe
PID 3356 wrote to memory of 3760 N/A N/A C:\Users\Admin\AppData\Local\VTijs77\LockScreenContentServer.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4647f6c6c11587bde0cedcba2978fd35.dll,#1

C:\Windows\system32\Magnify.exe

C:\Windows\system32\Magnify.exe

C:\Users\Admin\AppData\Local\ZRUWQm4x\Magnify.exe

C:\Users\Admin\AppData\Local\ZRUWQm4x\Magnify.exe

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\LockScreenContentServer.exe

C:\Windows\system32\LockScreenContentServer.exe

C:\Users\Admin\AppData\Local\VTijs77\LockScreenContentServer.exe

C:\Users\Admin\AppData\Local\VTijs77\LockScreenContentServer.exe

C:\Users\Admin\AppData\Local\cSkAffSFP\mfpmp.exe

C:\Users\Admin\AppData\Local\cSkAffSFP\mfpmp.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/2120-1-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/2120-0-0x000002078C7B0000-0x000002078C7B7000-memory.dmp

memory/3356-4-0x0000000000D50000-0x0000000000D51000-memory.dmp

memory/3356-6-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-9-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-10-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-11-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-12-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-13-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-8-0x00007FF816CDA000-0x00007FF816CDB000-memory.dmp

memory/2120-7-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-16-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-21-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-24-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-28-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-30-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-31-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-32-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-36-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-40-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-42-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-44-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-43-0x0000000000DB0000-0x0000000000DB7000-memory.dmp

memory/3356-41-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-39-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-38-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-51-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-37-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-35-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-52-0x00007FF816DA0000-0x00007FF816DB0000-memory.dmp

memory/3356-61-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-63-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-34-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-33-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-29-0x0000000140000000-0x00000001401FC000-memory.dmp

C:\Users\Admin\AppData\Local\ZRUWQm4x\Magnify.exe

MD5 a942fb570578412257c10f944293851f
SHA1 f83b9b41961e24fcc7eff48b858a4796224a9236
SHA256 71e36c694e8142008ab8e861a5251ef8bac755d8c41cc61219a5f10d63b35e3b
SHA512 000223e34a23d9bdb1562751919b503114c235ab3ee31c93c323b1d21a99323ad4fd16c2c8edfb1a8762b90e815a653a7da5a7c11a493d289e45f3c9b8fb5977

memory/3356-27-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-26-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-25-0x0000000140000000-0x00000001401FC000-memory.dmp

C:\Users\Admin\AppData\Local\ZRUWQm4x\dwmapi.dll

MD5 5729353e800ba9081478b28948644aa1
SHA1 94e1c495542ac1f5013bff03346347a14c60c232
SHA256 322185b5ebdd77426cf2e5d314c69164291de2f8bce0eb0179786ab029eb5f99
SHA512 e2d484441d90663a4783e64f6a32e46df0b1f76985bd7dfd7b9590f4d6cdf858858c989c8686d973583dfdda28272b935924f97fee363dbf8fa8fc6d3b20bdb5

C:\Users\Admin\AppData\Local\ZRUWQm4x\dwmapi.dll

MD5 e4527306f8483c2a7702c9eca9dbdcba
SHA1 f61b4fd5df15a170d0a9d8be1250977b2aaff40b
SHA256 dd7f9c5f3d052442152bd65d2384a9d522289d5c6043baad0270dcc41cb3faf2
SHA512 877071539ac1b284f56124e3193e9b2c9a98db3353448e09fc9b7f1e422a67bb4c7340e39fafa84400930f851ed33ae1911a6c046e4f9b67c70ec7ca3ce31e73

memory/3356-23-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-22-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-20-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-19-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-18-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-17-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-14-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3356-15-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/2600-73-0x000001EC01C20000-0x000001EC01C27000-memory.dmp

memory/2600-78-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/2600-72-0x0000000140000000-0x00000001401FD000-memory.dmp

C:\Users\Admin\AppData\Local\ZRUWQm4x\Magnify.exe

MD5 e93e8337395671ef15f89406cb973481
SHA1 00bba3c6ecf614012869c5962a053dad27f0f897
SHA256 88f369100bfc0bc7565e386bd084ad188fb5b3aed0f9d869df404493210e0c0b
SHA512 d64a1c451599beeff4249c8c62659ae94560c5c206f5a714629464ddc51a6ea53fcee76165891537e502849a57e14b95314e39caf3a0284d5734b0047244f27b

C:\Users\Admin\AppData\Local\cSkAffSFP\MFPlat.DLL

MD5 c29f908bf6783e43523f0533027938b6
SHA1 7bd048355f15acb59f8aee487fc359799e33148c
SHA256 ff910bcd8b14953405c0f2c3b197695cbc5ce93a88b93f32e5d65e8ff604caf0
SHA512 2e163bf32f1ae0a7097ae6511adf1cf7e6445b74546381befd970378ea8ef027578b85eb2c54e7a823570f4829e8992858ef80a8a009b7b7e996bcdd611d5526

C:\Users\Admin\AppData\Local\cSkAffSFP\MFPlat.DLL

MD5 9885460197b81e2ae7c7f5e89e7f86d3
SHA1 2e907a2c86f8411dfab134cb034b3ef0ede0cfa4
SHA256 552e508f95186b07c47f657f7bda4baaf11fb77e5c69b2233976c5487c1d3914
SHA512 a51e9c1e141bc52d7beb2b8c8d66855f4bd989cb7bbfea2946f3b732af1eabe04bd9c05d2aec46a756256a2d5802edd489131ed27f10f1c4aeb6202711d94266

memory/4048-91-0x00000181F3520000-0x00000181F3527000-memory.dmp

memory/4048-92-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/4048-97-0x0000000140000000-0x00000001401FE000-memory.dmp

C:\Users\Admin\AppData\Local\cSkAffSFP\mfpmp.exe

MD5 9402ca908e37f74744729166b338e183
SHA1 53971fb14d201c4594ae27608931f9485f4909cf
SHA256 13c87abdb7f4d97b24c8bef4f20f0c30069dcec4e914495294c52bc1aec1c1fc
SHA512 3251ef0222b9b553315213460006b1f4ae848b5d8f0690df73d5a5b618b6db099e059dd23136e02ab41b63307abf36d9f98d94a0f20de68d39707d33d02fbc97

C:\Users\Admin\AppData\Local\cSkAffSFP\mfpmp.exe

MD5 8f8fd1988973bac0c5244431473b96a5
SHA1 ce81ea37260d7cafe27612606cf044921ad1304c
SHA256 27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e
SHA512 a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

C:\Users\Admin\AppData\Local\VTijs77\dwmapi.dll

MD5 a70294342c7a5615fc5d245d32bcee82
SHA1 516383c63c306605e1de882c160d5c7cb69d6252
SHA256 fbd90a5a986903aa190d2161e3bdf209eb95647ae6dc042aba296d423d2afb5c
SHA512 364b0230d4596ffe2def78dcf8b8b2a6c6b6e072e46704f1b1a01aa57d8b24bea08ad21aadf1ba7e67096a0d073c97896cecd1ab7ee639073b04407d654ae1aa

C:\Users\Admin\AppData\Local\VTijs77\dwmapi.dll

MD5 8abc849b79c5ad902048487daf9f0e60
SHA1 0e6989dc2c988f510c17c77e091f21ba297319f7
SHA256 08ad8758c15cf1ada515ea792ad35539fd5b8b456d6dcd6e166fc279b965c325
SHA512 4e0e03c7b2adbcd65f76fb25416c616fadc68ff3683a7d951236796002957cd97185b430e99878024a3a1ca31a0d51038ea1bf4d1123ee6a92999f36f006035a

memory/3760-110-0x0000014979C00000-0x0000014979C07000-memory.dmp

C:\Users\Admin\AppData\Local\VTijs77\LockScreenContentServer.exe

MD5 f3a4d7da86c52cc00f2c1e1c858ae6d5
SHA1 ac3d4bda908ff444d820861a2446033d30d66969
SHA256 a013d9e10801ba65062d4c6d14ea89b68d1c29d31297760b843ec342a1787e1d
SHA512 1eab1d27dd15c92e01aa062d1188462846e55bf0e13e98d4cd4896cdd53cee54488d48c5533f59f2a3791d5faf60ee31674a2dcb53acc02ce5e3dd833ff44d4c

C:\Users\Admin\AppData\Local\VTijs77\LockScreenContentServer.exe

MD5 ee9d32e75026bdd650970a009a0bdc5a
SHA1 fdc3745741f3d847a687f3a35e72984e3b0bff68
SHA256 3f217808d0aac0a6958d6720fc1e52c50e73c77eabec5f67709b71c0fb56d0ae
SHA512 af41ced6da388839ac4de7aa36e6e219414878e78b741e33de39669b9ef43778b3f9c3225ba18bd632dcd5069187833914feab68ad6c92a605e095fc585a745a

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Udjzqp.lnk

MD5 52dac8c9cf6199957389edaaf8108e2b
SHA1 e91d021d6f77a6e471a8288fe48decf29a4c9c5c
SHA256 4cc205c5c7d1cedfdd1033021b50630b068ddf4d4e50475ad367abecc9924d23
SHA512 58c28e2ac600737fbacfcdd0e050da24d1e9522d5459c7d92423dbf02f9ff5a06a2808db6b55dfac4f4767394f067adc4e768d28d4110756bbe0bbb71dfea5f1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\KUWMDFiT57L\dwmapi.dll

MD5 fe061e8721409071db9fb375c5663920
SHA1 72f5cbffa1e77df4a5f1bef359eca6ba07d4bebc
SHA256 b604ebb95edf58b1628bfcaf38224f1dd8290904c817402e07e2c598e5a83973
SHA512 3ad03276f4e35c2de7f02c80224b3c0a2a82a491d7fc3b4232e5d411c7ea6b8517b1344ddf9f15422cc5e046aa1fc0c2eed7119f17c4437ba7950e2fc06c9321

C:\Users\Admin\AppData\Roaming\Microsoft\Office\LDR\MFPlat.DLL

MD5 098a3d6b9df704a883a52a19abd18ec8
SHA1 a803b986ae563278d74ecedea3b83ef1a10da718
SHA256 06250032204f8e6ca670af40dc2c24289e426bcc0ea5735db3ca6b5240f97354
SHA512 e72d342e296eaa81a8af13f0e28ace6374cb0708743f81c37e52bec40d50aa5ae80cc9df901b660166c1d4a250747fb895f0a9f8b30ec0e6cf2a26015514fcc0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\j7\dwmapi.dll

MD5 ff07fe20d8013b85f5063138ad58dc42
SHA1 df459581482f10bf461a965ca3cacea0a78bc82e
SHA256 7fc7f5ffb5fd1d10aa61f0efc0c5d970cd5971c314533a1c0e06f743d8206d48
SHA512 519f9db11ae198d053b357ef5a3e885b8c3af8501216d293cd9667e9f71efb4798c173b736093456b0441ab6e5eec34fe58a6e12b871b6b2ce77701b7203bbb0