Analysis Overview
SHA256
38e7da5c6e7f9cc6466cba7c8312aa0df55bd4ccb908dbe5a9cb31823f564d32
Threat Level: Known bad
The file 4647f6c6c11587bde0cedcba2978fd35 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-06 12:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-06 12:54
Reported
2024-01-06 12:57
Platform
win7-20231215-en
Max time kernel
29s
Max time network
122s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\aB2x\TpmInit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\QO8dVnA\raserver.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\wdzn\SystemPropertiesPerformance.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\aB2x\TpmInit.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\QO8dVnA\raserver.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\wdzn\SystemPropertiesPerformance.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\h7mh9dM2q\\raserver.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\aB2x\TpmInit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\QO8dVnA\raserver.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\wdzn\SystemPropertiesPerformance.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4647f6c6c11587bde0cedcba2978fd35.dll,#1
C:\Users\Admin\AppData\Local\aB2x\TpmInit.exe
C:\Users\Admin\AppData\Local\aB2x\TpmInit.exe
C:\Windows\system32\TpmInit.exe
C:\Windows\system32\TpmInit.exe
C:\Users\Admin\AppData\Local\QO8dVnA\raserver.exe
C:\Users\Admin\AppData\Local\QO8dVnA\raserver.exe
C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\wdzn\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\wdzn\SystemPropertiesPerformance.exe
Network
Files
memory/2248-1-0x0000000000330000-0x0000000000337000-memory.dmp
memory/2248-0-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-4-0x0000000077526000-0x0000000077527000-memory.dmp
memory/1200-11-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-23-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-35-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-42-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-47-0x0000000002B50000-0x0000000002B57000-memory.dmp
memory/1200-51-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-53-0x0000000077790000-0x0000000077792000-memory.dmp
memory/1200-52-0x0000000077631000-0x0000000077632000-memory.dmp
memory/1200-62-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-68-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3052-85-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3052-81-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3052-80-0x00000000006B0000-0x00000000006B7000-memory.dmp
memory/1200-72-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-43-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-41-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-40-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-39-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-38-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-37-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-36-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-34-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-33-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-32-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-31-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-30-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-29-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-28-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-27-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-26-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-25-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3048-106-0x0000000000110000-0x0000000000117000-memory.dmp
memory/1200-24-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-22-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-21-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-20-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-19-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-18-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-17-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-16-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-15-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-14-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-13-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-12-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-10-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-9-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/2248-8-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1200-7-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/2000-128-0x0000000000100000-0x0000000000107000-memory.dmp
memory/1200-5-0x0000000002BE0000-0x0000000002BE1000-memory.dmp
memory/1200-149-0x0000000077526000-0x0000000077527000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-06 12:54
Reported
2024-01-06 12:57
Platform
win10v2004-20231215-en
Max time kernel
133s
Max time network
151s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ZRUWQm4x\Magnify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\cSkAffSFP\mfpmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\VTijs77\LockScreenContentServer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ZRUWQm4x\Magnify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\cSkAffSFP\mfpmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\VTijs77\LockScreenContentServer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ddiqrdu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\LDR\\mfpmp.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\ZRUWQm4x\Magnify.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\cSkAffSFP\mfpmp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\VTijs77\LockScreenContentServer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3356 wrote to memory of 4088 | N/A | N/A | C:\Windows\system32\Magnify.exe |
| PID 3356 wrote to memory of 4088 | N/A | N/A | C:\Windows\system32\Magnify.exe |
| PID 3356 wrote to memory of 2600 | N/A | N/A | C:\Users\Admin\AppData\Local\ZRUWQm4x\Magnify.exe |
| PID 3356 wrote to memory of 2600 | N/A | N/A | C:\Users\Admin\AppData\Local\ZRUWQm4x\Magnify.exe |
| PID 3356 wrote to memory of 4500 | N/A | N/A | C:\Windows\system32\mfpmp.exe |
| PID 3356 wrote to memory of 4500 | N/A | N/A | C:\Windows\system32\mfpmp.exe |
| PID 3356 wrote to memory of 4048 | N/A | N/A | C:\Users\Admin\AppData\Local\cSkAffSFP\mfpmp.exe |
| PID 3356 wrote to memory of 4048 | N/A | N/A | C:\Users\Admin\AppData\Local\cSkAffSFP\mfpmp.exe |
| PID 3356 wrote to memory of 4880 | N/A | N/A | C:\Windows\system32\LockScreenContentServer.exe |
| PID 3356 wrote to memory of 4880 | N/A | N/A | C:\Windows\system32\LockScreenContentServer.exe |
| PID 3356 wrote to memory of 3760 | N/A | N/A | C:\Users\Admin\AppData\Local\VTijs77\LockScreenContentServer.exe |
| PID 3356 wrote to memory of 3760 | N/A | N/A | C:\Users\Admin\AppData\Local\VTijs77\LockScreenContentServer.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4647f6c6c11587bde0cedcba2978fd35.dll,#1
C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
C:\Users\Admin\AppData\Local\ZRUWQm4x\Magnify.exe
C:\Users\Admin\AppData\Local\ZRUWQm4x\Magnify.exe
C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
C:\Windows\system32\LockScreenContentServer.exe
C:\Windows\system32\LockScreenContentServer.exe
C:\Users\Admin\AppData\Local\VTijs77\LockScreenContentServer.exe
C:\Users\Admin\AppData\Local\VTijs77\LockScreenContentServer.exe
C:\Users\Admin\AppData\Local\cSkAffSFP\mfpmp.exe
C:\Users\Admin\AppData\Local\cSkAffSFP\mfpmp.exe
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.109.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
memory/2120-1-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/2120-0-0x000002078C7B0000-0x000002078C7B7000-memory.dmp
memory/3356-4-0x0000000000D50000-0x0000000000D51000-memory.dmp
memory/3356-6-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-9-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-10-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-11-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-12-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-13-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-8-0x00007FF816CDA000-0x00007FF816CDB000-memory.dmp
memory/2120-7-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-16-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-21-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-24-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-28-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-30-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-31-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-32-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-36-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-40-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-42-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-44-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-43-0x0000000000DB0000-0x0000000000DB7000-memory.dmp
memory/3356-41-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-39-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-38-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-51-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-37-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-35-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-52-0x00007FF816DA0000-0x00007FF816DB0000-memory.dmp
memory/3356-61-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-63-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-34-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-33-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-29-0x0000000140000000-0x00000001401FC000-memory.dmp
C:\Users\Admin\AppData\Local\ZRUWQm4x\Magnify.exe
| MD5 | a942fb570578412257c10f944293851f |
| SHA1 | f83b9b41961e24fcc7eff48b858a4796224a9236 |
| SHA256 | 71e36c694e8142008ab8e861a5251ef8bac755d8c41cc61219a5f10d63b35e3b |
| SHA512 | 000223e34a23d9bdb1562751919b503114c235ab3ee31c93c323b1d21a99323ad4fd16c2c8edfb1a8762b90e815a653a7da5a7c11a493d289e45f3c9b8fb5977 |
memory/3356-27-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-26-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-25-0x0000000140000000-0x00000001401FC000-memory.dmp
C:\Users\Admin\AppData\Local\ZRUWQm4x\dwmapi.dll
| MD5 | 5729353e800ba9081478b28948644aa1 |
| SHA1 | 94e1c495542ac1f5013bff03346347a14c60c232 |
| SHA256 | 322185b5ebdd77426cf2e5d314c69164291de2f8bce0eb0179786ab029eb5f99 |
| SHA512 | e2d484441d90663a4783e64f6a32e46df0b1f76985bd7dfd7b9590f4d6cdf858858c989c8686d973583dfdda28272b935924f97fee363dbf8fa8fc6d3b20bdb5 |
C:\Users\Admin\AppData\Local\ZRUWQm4x\dwmapi.dll
| MD5 | e4527306f8483c2a7702c9eca9dbdcba |
| SHA1 | f61b4fd5df15a170d0a9d8be1250977b2aaff40b |
| SHA256 | dd7f9c5f3d052442152bd65d2384a9d522289d5c6043baad0270dcc41cb3faf2 |
| SHA512 | 877071539ac1b284f56124e3193e9b2c9a98db3353448e09fc9b7f1e422a67bb4c7340e39fafa84400930f851ed33ae1911a6c046e4f9b67c70ec7ca3ce31e73 |
memory/3356-23-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-22-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-20-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-19-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-18-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-17-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-14-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3356-15-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/2600-73-0x000001EC01C20000-0x000001EC01C27000-memory.dmp
memory/2600-78-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/2600-72-0x0000000140000000-0x00000001401FD000-memory.dmp
C:\Users\Admin\AppData\Local\ZRUWQm4x\Magnify.exe
| MD5 | e93e8337395671ef15f89406cb973481 |
| SHA1 | 00bba3c6ecf614012869c5962a053dad27f0f897 |
| SHA256 | 88f369100bfc0bc7565e386bd084ad188fb5b3aed0f9d869df404493210e0c0b |
| SHA512 | d64a1c451599beeff4249c8c62659ae94560c5c206f5a714629464ddc51a6ea53fcee76165891537e502849a57e14b95314e39caf3a0284d5734b0047244f27b |
C:\Users\Admin\AppData\Local\cSkAffSFP\MFPlat.DLL
| MD5 | c29f908bf6783e43523f0533027938b6 |
| SHA1 | 7bd048355f15acb59f8aee487fc359799e33148c |
| SHA256 | ff910bcd8b14953405c0f2c3b197695cbc5ce93a88b93f32e5d65e8ff604caf0 |
| SHA512 | 2e163bf32f1ae0a7097ae6511adf1cf7e6445b74546381befd970378ea8ef027578b85eb2c54e7a823570f4829e8992858ef80a8a009b7b7e996bcdd611d5526 |
C:\Users\Admin\AppData\Local\cSkAffSFP\MFPlat.DLL
| MD5 | 9885460197b81e2ae7c7f5e89e7f86d3 |
| SHA1 | 2e907a2c86f8411dfab134cb034b3ef0ede0cfa4 |
| SHA256 | 552e508f95186b07c47f657f7bda4baaf11fb77e5c69b2233976c5487c1d3914 |
| SHA512 | a51e9c1e141bc52d7beb2b8c8d66855f4bd989cb7bbfea2946f3b732af1eabe04bd9c05d2aec46a756256a2d5802edd489131ed27f10f1c4aeb6202711d94266 |
memory/4048-91-0x00000181F3520000-0x00000181F3527000-memory.dmp
memory/4048-92-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/4048-97-0x0000000140000000-0x00000001401FE000-memory.dmp
C:\Users\Admin\AppData\Local\cSkAffSFP\mfpmp.exe
| MD5 | 9402ca908e37f74744729166b338e183 |
| SHA1 | 53971fb14d201c4594ae27608931f9485f4909cf |
| SHA256 | 13c87abdb7f4d97b24c8bef4f20f0c30069dcec4e914495294c52bc1aec1c1fc |
| SHA512 | 3251ef0222b9b553315213460006b1f4ae848b5d8f0690df73d5a5b618b6db099e059dd23136e02ab41b63307abf36d9f98d94a0f20de68d39707d33d02fbc97 |
C:\Users\Admin\AppData\Local\cSkAffSFP\mfpmp.exe
| MD5 | 8f8fd1988973bac0c5244431473b96a5 |
| SHA1 | ce81ea37260d7cafe27612606cf044921ad1304c |
| SHA256 | 27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e |
| SHA512 | a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab |
C:\Users\Admin\AppData\Local\VTijs77\dwmapi.dll
| MD5 | a70294342c7a5615fc5d245d32bcee82 |
| SHA1 | 516383c63c306605e1de882c160d5c7cb69d6252 |
| SHA256 | fbd90a5a986903aa190d2161e3bdf209eb95647ae6dc042aba296d423d2afb5c |
| SHA512 | 364b0230d4596ffe2def78dcf8b8b2a6c6b6e072e46704f1b1a01aa57d8b24bea08ad21aadf1ba7e67096a0d073c97896cecd1ab7ee639073b04407d654ae1aa |
C:\Users\Admin\AppData\Local\VTijs77\dwmapi.dll
| MD5 | 8abc849b79c5ad902048487daf9f0e60 |
| SHA1 | 0e6989dc2c988f510c17c77e091f21ba297319f7 |
| SHA256 | 08ad8758c15cf1ada515ea792ad35539fd5b8b456d6dcd6e166fc279b965c325 |
| SHA512 | 4e0e03c7b2adbcd65f76fb25416c616fadc68ff3683a7d951236796002957cd97185b430e99878024a3a1ca31a0d51038ea1bf4d1123ee6a92999f36f006035a |
memory/3760-110-0x0000014979C00000-0x0000014979C07000-memory.dmp
C:\Users\Admin\AppData\Local\VTijs77\LockScreenContentServer.exe
| MD5 | f3a4d7da86c52cc00f2c1e1c858ae6d5 |
| SHA1 | ac3d4bda908ff444d820861a2446033d30d66969 |
| SHA256 | a013d9e10801ba65062d4c6d14ea89b68d1c29d31297760b843ec342a1787e1d |
| SHA512 | 1eab1d27dd15c92e01aa062d1188462846e55bf0e13e98d4cd4896cdd53cee54488d48c5533f59f2a3791d5faf60ee31674a2dcb53acc02ce5e3dd833ff44d4c |
C:\Users\Admin\AppData\Local\VTijs77\LockScreenContentServer.exe
| MD5 | ee9d32e75026bdd650970a009a0bdc5a |
| SHA1 | fdc3745741f3d847a687f3a35e72984e3b0bff68 |
| SHA256 | 3f217808d0aac0a6958d6720fc1e52c50e73c77eabec5f67709b71c0fb56d0ae |
| SHA512 | af41ced6da388839ac4de7aa36e6e219414878e78b741e33de39669b9ef43778b3f9c3225ba18bd632dcd5069187833914feab68ad6c92a605e095fc585a745a |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Udjzqp.lnk
| MD5 | 52dac8c9cf6199957389edaaf8108e2b |
| SHA1 | e91d021d6f77a6e471a8288fe48decf29a4c9c5c |
| SHA256 | 4cc205c5c7d1cedfdd1033021b50630b068ddf4d4e50475ad367abecc9924d23 |
| SHA512 | 58c28e2ac600737fbacfcdd0e050da24d1e9522d5459c7d92423dbf02f9ff5a06a2808db6b55dfac4f4767394f067adc4e768d28d4110756bbe0bbb71dfea5f1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\KUWMDFiT57L\dwmapi.dll
| MD5 | fe061e8721409071db9fb375c5663920 |
| SHA1 | 72f5cbffa1e77df4a5f1bef359eca6ba07d4bebc |
| SHA256 | b604ebb95edf58b1628bfcaf38224f1dd8290904c817402e07e2c598e5a83973 |
| SHA512 | 3ad03276f4e35c2de7f02c80224b3c0a2a82a491d7fc3b4232e5d411c7ea6b8517b1344ddf9f15422cc5e046aa1fc0c2eed7119f17c4437ba7950e2fc06c9321 |
C:\Users\Admin\AppData\Roaming\Microsoft\Office\LDR\MFPlat.DLL
| MD5 | 098a3d6b9df704a883a52a19abd18ec8 |
| SHA1 | a803b986ae563278d74ecedea3b83ef1a10da718 |
| SHA256 | 06250032204f8e6ca670af40dc2c24289e426bcc0ea5735db3ca6b5240f97354 |
| SHA512 | e72d342e296eaa81a8af13f0e28ace6374cb0708743f81c37e52bec40d50aa5ae80cc9df901b660166c1d4a250747fb895f0a9f8b30ec0e6cf2a26015514fcc0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\j7\dwmapi.dll
| MD5 | ff07fe20d8013b85f5063138ad58dc42 |
| SHA1 | df459581482f10bf461a965ca3cacea0a78bc82e |
| SHA256 | 7fc7f5ffb5fd1d10aa61f0efc0c5d970cd5971c314533a1c0e06f743d8206d48 |
| SHA512 | 519f9db11ae198d053b357ef5a3e885b8c3af8501216d293cd9667e9f71efb4798c173b736093456b0441ab6e5eec34fe58a6e12b871b6b2ce77701b7203bbb0 |