Malware Analysis Report

2025-04-03 19:53

Sample ID 241109-x3jqrazhpc
Target e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN
SHA256 e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694f
Tags
upx discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694f

Threat Level: Shows suspicious behavior

The file e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx discovery

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in System32 directory

UPX packed file

Drops file in Windows directory

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:22

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:22

Reported

2024-11-09 19:24

Platform

win7-20240903-en

Max time kernel

120s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\nxsfijj\nxsfijj\pxpgmeg\xtjtago.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Help\upbiran.ini C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe N/A
File created C:\Windows\SysWOW64\Help\1.nxsfijj C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe N/A
File created C:\Windows\SysWOW64\Help\2.nxsfijj C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe N/A
File created C:\Windows\SysWOW64\nxsfijj\nxsfijj\pxpgmeg\m.ini C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe N/A
File created C:\Windows\SysWOW64\nxsfijj\nxsfijj\pxpgmeg\xtjtago.exe C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe N/A
File opened for modification C:\Windows\SysWOW64\nxsfijj\nxsfijj\pxpgmeg\xtjtago.exe C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe N/A
File created C:\Windows\system32\spool\DRIVERS\W32X86\3\xsfijjn\xsfijjn.exe C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2516 set thread context of 2528 N/A C:\Windows\SysWOW64\nxsfijj\nxsfijj\pxpgmeg\xtjtago.exe C:\Windows\SysWOW64\svchost.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nxsfijj\nxsfijj\pxpgmeg\xtjtago.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1820 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe C:\Windows\SysWOW64\nxsfijj\nxsfijj\pxpgmeg\xtjtago.exe
PID 1820 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe C:\Windows\SysWOW64\nxsfijj\nxsfijj\pxpgmeg\xtjtago.exe
PID 1820 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe C:\Windows\SysWOW64\nxsfijj\nxsfijj\pxpgmeg\xtjtago.exe
PID 1820 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe C:\Windows\SysWOW64\nxsfijj\nxsfijj\pxpgmeg\xtjtago.exe
PID 2516 wrote to memory of 2528 N/A C:\Windows\SysWOW64\nxsfijj\nxsfijj\pxpgmeg\xtjtago.exe C:\Windows\SysWOW64\svchost.exe
PID 2516 wrote to memory of 2528 N/A C:\Windows\SysWOW64\nxsfijj\nxsfijj\pxpgmeg\xtjtago.exe C:\Windows\SysWOW64\svchost.exe
PID 2516 wrote to memory of 2528 N/A C:\Windows\SysWOW64\nxsfijj\nxsfijj\pxpgmeg\xtjtago.exe C:\Windows\SysWOW64\svchost.exe
PID 2516 wrote to memory of 2528 N/A C:\Windows\SysWOW64\nxsfijj\nxsfijj\pxpgmeg\xtjtago.exe C:\Windows\SysWOW64\svchost.exe
PID 2516 wrote to memory of 2528 N/A C:\Windows\SysWOW64\nxsfijj\nxsfijj\pxpgmeg\xtjtago.exe C:\Windows\SysWOW64\svchost.exe
PID 2516 wrote to memory of 2528 N/A C:\Windows\SysWOW64\nxsfijj\nxsfijj\pxpgmeg\xtjtago.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe

"C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe"

C:\Windows\SysWOW64\nxsfijj\nxsfijj\pxpgmeg\xtjtago.exe

C:\Windows\system32\nxsfijj\nxsfijj\pxpgmeg\xtjtago.exe -close

C:\Windows\SysWOW64\svchost.exe

svchost.exe -NetworkService

Network

N/A

Files

memory/1820-0-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Windows\SysWOW64\nxsfijj\nxsfijj\pxpgmeg\xtjtago.exe

MD5 138becb6fd6f7763ff09fd27320220ae
SHA1 f6105e06c700d141ea61b150d299573954071cd6
SHA256 bf007f69568cb83beb85e21a45b9380649875d1c907a5afa66e4ecfa819a1e91
SHA512 2b17dc7becb12a7ae3ef397f011ab045d07034359d9641cc63741ae5ea2c65cba632d90de1d7caf9d7ac7f2f2195406bc6e8097e375226bffd885e0e0ef0d804

memory/2516-43-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1820-42-0x0000000000470000-0x00000000004DD000-memory.dmp

memory/2528-63-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2528-59-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

F:\RECYCLER\S-1-5-18\Dc8\xsfijjn\xsfijjn010.IMD

MD5 c4103f122d27677c9db144cae1394a66
SHA1 1489f923c4dca729178b3e3233458550d8dddf29
SHA256 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
SHA512 5ea71dc6d0b4f57bf39aadd07c208c35f06cd2bac5fde210397f70de11d439c62ec1cdf3183758865fd387fcea0bada2f6c37a4a17851dd1d78fefe6f204ee54

F:\RECYCLER\S-1-5-18\Dc8\xsfijjn\xsfijjn009.IMD

MD5 91da22e849e6c13ea8909e9390828853
SHA1 13b13fd2f903d31fd5c85f03bd238bfad25b121b
SHA256 c93035ac8f8c74f84bfbc49e4827185abcc8b88dbe2378d52f2a61a9ea194a3a
SHA512 736827886bb5a2ff1275299e9b29124b71cc30edcca45229567718ce3a70bbe83fd5de1e827af90043d166f8955c1c4c89bbb62ca356c0991eca712d8099f21c

F:\RECYCLER\S-1-5-18\Dc8\xsfijjn\xsfijjn008.IMD

MD5 e8c257569d6f0539f8e96d8e94f558f0
SHA1 75416ceae60be364d65f6f0ddfd4007d13380f3a
SHA256 be91edf84402880701eb5e22b01d492ebf498c5f4c3fa90203801e162d27ee11
SHA512 4c5668ac6b96f5020fa219a8e4bdb13492598473c4cdd0bbdac21752f45194b26849390b07cd1ed400e9396703536edc9b7c6f6153d11841fe370b2fc2df8d7b

F:\RECYCLER\S-1-5-18\Dc8\xsfijjn\xsfijjn007.IMD

MD5 af8b1161b69a560435dd97368845b295
SHA1 5da92a53a196121d2e48557ba861e12b9131be8f
SHA256 c858e8edb8bf07a16af544cde1cafa4d7ea780a1555548eee6a98b90883a07cc
SHA512 bab272fffbeb91ed99b8f351cda86993caaf6c173e605c8c0ccfcf297b710681041ee5963dcd2a17783f4a55bc37ca6e61386ccae0ab92f0a14e9f3611d7ffc2

F:\RECYCLER\S-1-5-18\Dc8\xsfijjn\xsfijjn006.IMD

MD5 4362593fea6601fdcece614acca34119
SHA1 dc69ba95100fd0dac895c3aece2c8e3ca07dd3e4
SHA256 bc1e3bb088839834b74f703e4f2549faa655d29cab30ae5a5c1b61eb208196e5
SHA512 994d2386e63d55c97b70cd44e096f945d788f60bf9e78291c28beff1772a7aa9b38656e43806746f6387ded80e16fced11705b04188f53645f2eb539dad94833

F:\RECYCLER\S-1-5-18\Dc8\xsfijjn\xsfijjn005.IMD

MD5 e66d6d9774173db1252d327c68124972
SHA1 b914e771065b2f2d099c5d19df873eaedd4fef9c
SHA256 88151c5382034f4835c97eb197f5e92d093d3f2ea60dfc5f49c6fab705bff142
SHA512 cf982f568cafc6bb34e8a0a7b15b457cc13f27b239cd60b4becba6b53b232e90cbd49983994e77fedd2b55bd8b84d7cd9414d180f1be86bb8247a9921f5a5807

F:\RECYCLER\S-1-5-18\Dc8\xsfijjn\xsfijjn004.IMD

MD5 352f47f670afccd0ac401ccc999d10d8
SHA1 4c89135384d32bec3fc3aa9980f52b905bacc1e8
SHA256 d6a102fd2982c91e2670e80129f3ac876535431dddc5aebc781a1942138073a5
SHA512 790a20423a5f76f4898ad037115a064075bb5a5e76491a0c1ea88bf6357ef4e5833bb3d68183e05c7f4653f5e86c6d7651614457bf0e2063bebf53b34566e739

F:\RECYCLER\S-1-5-18\Dc8\xsfijjn\xsfijjn003.IMD

MD5 8633e0a60847c39ba7d56e4dd467c8fe
SHA1 11e383e7b558620b68845e21d7c991a243883cce
SHA256 4a5f1fd076c26f9e0be65e51103196f4ab19214fc92416dad8c2ac0818cf7cb6
SHA512 3185dc12efb34148551b63fc0f0352c18e15a2ecf709acb4c7055415c5d42df62d73aedf78e87a734d9bc78e92138b8e17ace6ace346b123f67d87bc4dda6486

F:\RECYCLER\S-1-5-18\Dc8\xsfijjn\xsfijjn002.IMD

MD5 38c2cc45b51ee5e00fc96c937f37ddcf
SHA1 554bdb2564d0626817809496680ed3e4065de353
SHA256 c821e0a6081978ecfd0b21e7d14609b016f47357440dd997ab1ad16412d0713a
SHA512 51e26769fd123a02b82a5d364306a26c1c59a0b5017cd595dd4ce551ad47595cfa80fd6b273994626dc1d31c41a251f1d93fe29731594e1d021ce160499b6cf2

F:\RECYCLER\S-1-5-18\Dc8\xsfijjn\xsfijjn001.IMD

MD5 b65fbbf0fa54508f6093643dad2c7994
SHA1 d2af34bbc5afe8dd6e26c692a569ffaefe6d6192
SHA256 a0b70798c80fbc2062d7b692b8414b5b54096b596d13e8790a4a334cbbb968d9
SHA512 fa21d781bda9cb3141a03c7cb756c2c36c92c09b41c5dddec2f269d11a244319466276e7b943d73c8faf3ccb5b2f037f3ba47ece5b774d634c1e346fdbc7f3d7

F:\RECYCLER\S-1-5-18\Dc8\xsfijjn\xsfijjn000.IMD

MD5 984fe53c3e016b181d453c9527b8ddcc
SHA1 f02e6263de1e0bb783c5a65d91414463913949e0
SHA256 2eff8fffb4d76ec309d9b6db53a11ee1174cb8995db69c8d45f97c8c31b763e6
SHA512 ea81ee84a92eda30bcac45f404739cf6120c717a5124002c216a64f27f5dbcaaa94207ee787c4cdfdbec6506003743b3cb7d5e55cad2be5f25e2a6c6edf3113f

C:\Windows\SysWOW64\nxsfijj\nxsfijj\pxpgmeg\m.ini

MD5 0b12e006d890591ecd99eda50fd8874c
SHA1 59201d4bd672f6aed4a2e3bde58f7b7b4bf06515
SHA256 d4fea533c8531f7bbbc078195ec8cfde726eb372097f07e8bea1cd8087a4a0fa
SHA512 24be77b78614883a83ab5760aa12afa7f188b6938d01b8991b37534d0b990fd1b6e154f8d601aed2163cce6e6187838ff0176d25164cd019bb0c6af9b32b440c

C:\Windows\SysWOW64\Help\2.nxsfijj

MD5 963edc7b2a4d9256e7c198d8c303c623
SHA1 65caab6186539234b74f8ec5fde2a5f4660e7e5f
SHA256 83e8f8e845634dc0616f7655532b3cebb7040b65388aa4d2927ea1b50aba5156
SHA512 a9222effd61c56d3caf4e16e0a5bd16d845f1442a785b79871710650afd1b955e87670523b90fdb65451e8a00f0603ee93d47023b3e2e2e46fcc867a4929c29b

C:\Windows\SysWOW64\Help\1.nxsfijj

MD5 8138054c46269253b25b080c19518546
SHA1 e5695a3e41d35ef88220835abe1b080d93589bfd
SHA256 b8f850b1719175295e548086b545fbc3846103e1f69563182e3902543d73d111
SHA512 2148cd32f3afbe8f6db6b5464520d88aac7dbd264022f386ef42f345b1ce6275c893a463120a544b4d38164ffb83efc38584605f3bc6af86f4ef00928936b0f7

C:\Windows\SysWOW64\Help\upbiran.ini

MD5 f5e9d5f2633476586b4c69a84821b7ae
SHA1 5433fb62e72b600a762826b34dd387f488837bb6
SHA256 f4e65172bb9efed4a5663668f0a5c143784e9fc94570fb3ee9059f3c1f8c911d
SHA512 35b2b1741d86ecabc34656c1d680fe18f5f758bbe231639c2ecc774197c97ec9360743cfdbde7da3867abcfe2bdc2fa2e3bd48b467043e323dabe1bc985dcc98

memory/2516-65-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1820-66-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1820-67-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1820-68-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1820-69-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1820-70-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1820-71-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1820-72-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1820-73-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1820-74-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1820-75-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1820-76-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1820-77-0x0000000000400000-0x000000000046D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 19:22

Reported

2024-11-09 19:24

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vlcaqne\vlcaqne\cdtrpmk\xhljypn.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Help\2.vlcaqne C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe N/A
File created C:\Windows\SysWOW64\vlcaqne\vlcaqne\cdtrpmk\m.ini C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe N/A
File created C:\Windows\SysWOW64\vlcaqne\vlcaqne\cdtrpmk\xhljypn.exe C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe N/A
File opened for modification C:\Windows\SysWOW64\vlcaqne\vlcaqne\cdtrpmk\xhljypn.exe C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe N/A
File created C:\Windows\system32\spool\DRIVERS\W32X86\3\lcaqnev\lcaqnev.exe C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe N/A
File created C:\Windows\SysWOW64\Help\upbiran.ini C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe N/A
File created C:\Windows\SysWOW64\Help\1.vlcaqne C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3692 set thread context of 5104 N/A C:\Windows\SysWOW64\vlcaqne\vlcaqne\cdtrpmk\xhljypn.exe C:\Windows\SysWOW64\svchost.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vlcaqne\vlcaqne\cdtrpmk\xhljypn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe

"C:\Users\Admin\AppData\Local\Temp\e2a0ac2ecdf001167a45b77f0795436a80f6b622d1e3784a953ba81a9dc4694fN.exe"

C:\Windows\SysWOW64\vlcaqne\vlcaqne\cdtrpmk\xhljypn.exe

C:\Windows\system32\vlcaqne\vlcaqne\cdtrpmk\xhljypn.exe -close

C:\Windows\SysWOW64\svchost.exe

svchost.exe -NetworkService

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5104 -ip 5104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 12

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1688-0-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Windows\SysWOW64\vlcaqne\vlcaqne\cdtrpmk\xhljypn.exe

MD5 0009ce0dff5bf146c12444eb943e7e73
SHA1 b999668b4f3f14cfe8d1543ad476d77a49ee865d
SHA256 89f7fef4117e2aa1f47b1e9cc1733d03cc4470d4a5856d0bb11f5979ad7984e5
SHA512 625c50e8bca8e62ed9859566d98a0b88efe5f1b68cace91ddc4c55a1b37775be5f688290a2fed0a490b125eb17a76cdf1559a4fe58a6f69a259fd062da1acbb5

memory/3692-39-0x0000000000400000-0x000000000046D000-memory.dmp

F:\RECYCLER\S-1-5-18\Dc8\lcaqnev\lcaqnev004.IMD

MD5 352f47f670afccd0ac401ccc999d10d8
SHA1 4c89135384d32bec3fc3aa9980f52b905bacc1e8
SHA256 d6a102fd2982c91e2670e80129f3ac876535431dddc5aebc781a1942138073a5
SHA512 790a20423a5f76f4898ad037115a064075bb5a5e76491a0c1ea88bf6357ef4e5833bb3d68183e05c7f4653f5e86c6d7651614457bf0e2063bebf53b34566e739

F:\RECYCLER\S-1-5-18\Dc8\lcaqnev\lcaqnev003.IMD

MD5 8633e0a60847c39ba7d56e4dd467c8fe
SHA1 11e383e7b558620b68845e21d7c991a243883cce
SHA256 4a5f1fd076c26f9e0be65e51103196f4ab19214fc92416dad8c2ac0818cf7cb6
SHA512 3185dc12efb34148551b63fc0f0352c18e15a2ecf709acb4c7055415c5d42df62d73aedf78e87a734d9bc78e92138b8e17ace6ace346b123f67d87bc4dda6486

F:\RECYCLER\S-1-5-18\Dc8\lcaqnev\lcaqnev002.IMD

MD5 38c2cc45b51ee5e00fc96c937f37ddcf
SHA1 554bdb2564d0626817809496680ed3e4065de353
SHA256 c821e0a6081978ecfd0b21e7d14609b016f47357440dd997ab1ad16412d0713a
SHA512 51e26769fd123a02b82a5d364306a26c1c59a0b5017cd595dd4ce551ad47595cfa80fd6b273994626dc1d31c41a251f1d93fe29731594e1d021ce160499b6cf2

F:\RECYCLER\S-1-5-18\Dc8\lcaqnev\lcaqnev001.IMD

MD5 b65fbbf0fa54508f6093643dad2c7994
SHA1 d2af34bbc5afe8dd6e26c692a569ffaefe6d6192
SHA256 a0b70798c80fbc2062d7b692b8414b5b54096b596d13e8790a4a334cbbb968d9
SHA512 fa21d781bda9cb3141a03c7cb756c2c36c92c09b41c5dddec2f269d11a244319466276e7b943d73c8faf3ccb5b2f037f3ba47ece5b774d634c1e346fdbc7f3d7

F:\RECYCLER\S-1-5-18\Dc8\lcaqnev\lcaqnev000.IMD

MD5 984fe53c3e016b181d453c9527b8ddcc
SHA1 f02e6263de1e0bb783c5a65d91414463913949e0
SHA256 2eff8fffb4d76ec309d9b6db53a11ee1174cb8995db69c8d45f97c8c31b763e6
SHA512 ea81ee84a92eda30bcac45f404739cf6120c717a5124002c216a64f27f5dbcaaa94207ee787c4cdfdbec6506003743b3cb7d5e55cad2be5f25e2a6c6edf3113f

C:\Windows\SysWOW64\vlcaqne\vlcaqne\cdtrpmk\m.ini

MD5 77068b92e9074f847c7a59ca2ed5d089
SHA1 abdca4381e45153c03edffcc5a914026dfea0fa3
SHA256 4310ab94c8fc96847e8dcb03d8cd2e83b38cf8becb1db2a80a53441de2302b61
SHA512 e0d26ecea4c64fa4e4b040ccea4a3a2d2a88c86a946ccf6f005f26de2392d848a7105e1de337df68f481b8ef3ce08256bef226373dba628a41f4ab3cc899308c

C:\Windows\SysWOW64\Help\2.vlcaqne

MD5 179440412aa6a9072a7eb828578e3bde
SHA1 7b7db6245bc03a544428c3bd9d5ade915801e2d9
SHA256 e9fc82ea9bfab2dcdf7d2c2c76b6cd0e7cf3809477eff170b625c90f174424fe
SHA512 120add88ecd3a5a465e3fcc7e0e07cd12471631dab568313b3812b23a239c62f8bf6279bea9c20c88efde4186f9487ea6826c210f8edc53db2115ab12c3805cf

C:\Windows\SysWOW64\Help\1.vlcaqne

MD5 2da5198efa4d360cab621cd4f9332efc
SHA1 7905a638a6c2b310f071c49c6bca80585a0220f6
SHA256 e5be395afbff1795e89aa5404862fd12a80bbeab138da71a500fc181e938fc44
SHA512 87f8049c26aa1e423f79645e2ecbc85686ada705100a88283390ba24799e449667e59b426d496bfb6a12626650ff5ad50d1b05a2d4ee6ba4987f13864e5565ef

C:\Windows\SysWOW64\Help\upbiran.ini

MD5 6817150f32d49152274eca172afbeca3
SHA1 fe3146504f6aa476bf0fd66c9a8eae86f6db359b
SHA256 bf5a94313d7390f769dfb0c7963e6d68b113d0e34319fa93b995cdd09133fc8e
SHA512 0b6184b54fc543c74ee93f6c4adced5ebc7d7c41273d7dc069591c2a9a1679f390970005f359aaca86fa4dc0bba1d6b73dedccbe04ad2716bdd832823bd3f1e0

F:\RECYCLER\S-1-5-18\Dc8\lcaqnev\lcaqnev005.IMD

MD5 e66d6d9774173db1252d327c68124972
SHA1 b914e771065b2f2d099c5d19df873eaedd4fef9c
SHA256 88151c5382034f4835c97eb197f5e92d093d3f2ea60dfc5f49c6fab705bff142
SHA512 cf982f568cafc6bb34e8a0a7b15b457cc13f27b239cd60b4becba6b53b232e90cbd49983994e77fedd2b55bd8b84d7cd9414d180f1be86bb8247a9921f5a5807

F:\RECYCLER\S-1-5-18\Dc8\lcaqnev\lcaqnev009.IMD

MD5 91da22e849e6c13ea8909e9390828853
SHA1 13b13fd2f903d31fd5c85f03bd238bfad25b121b
SHA256 c93035ac8f8c74f84bfbc49e4827185abcc8b88dbe2378d52f2a61a9ea194a3a
SHA512 736827886bb5a2ff1275299e9b29124b71cc30edcca45229567718ce3a70bbe83fd5de1e827af90043d166f8955c1c4c89bbb62ca356c0991eca712d8099f21c

F:\RECYCLER\S-1-5-18\Dc8\lcaqnev\lcaqnev008.IMD

MD5 e8c257569d6f0539f8e96d8e94f558f0
SHA1 75416ceae60be364d65f6f0ddfd4007d13380f3a
SHA256 be91edf84402880701eb5e22b01d492ebf498c5f4c3fa90203801e162d27ee11
SHA512 4c5668ac6b96f5020fa219a8e4bdb13492598473c4cdd0bbdac21752f45194b26849390b07cd1ed400e9396703536edc9b7c6f6153d11841fe370b2fc2df8d7b

F:\RECYCLER\S-1-5-18\Dc8\lcaqnev\lcaqnev007.IMD

MD5 af8b1161b69a560435dd97368845b295
SHA1 5da92a53a196121d2e48557ba861e12b9131be8f
SHA256 c858e8edb8bf07a16af544cde1cafa4d7ea780a1555548eee6a98b90883a07cc
SHA512 bab272fffbeb91ed99b8f351cda86993caaf6c173e605c8c0ccfcf297b710681041ee5963dcd2a17783f4a55bc37ca6e61386ccae0ab92f0a14e9f3611d7ffc2

F:\RECYCLER\S-1-5-18\Dc8\lcaqnev\lcaqnev006.IMD

MD5 4362593fea6601fdcece614acca34119
SHA1 dc69ba95100fd0dac895c3aece2c8e3ca07dd3e4
SHA256 bc1e3bb088839834b74f703e4f2549faa655d29cab30ae5a5c1b61eb208196e5
SHA512 994d2386e63d55c97b70cd44e096f945d788f60bf9e78291c28beff1772a7aa9b38656e43806746f6387ded80e16fced11705b04188f53645f2eb539dad94833

F:\RECYCLER\S-1-5-18\Dc8\lcaqnev\lcaqnev010.IMD

MD5 c4103f122d27677c9db144cae1394a66
SHA1 1489f923c4dca729178b3e3233458550d8dddf29
SHA256 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
SHA512 5ea71dc6d0b4f57bf39aadd07c208c35f06cd2bac5fde210397f70de11d439c62ec1cdf3183758865fd387fcea0bada2f6c37a4a17851dd1d78fefe6f204ee54

memory/5104-55-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3692-57-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1688-58-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1688-59-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1688-60-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1688-61-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1688-62-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1688-63-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1688-64-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1688-65-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1688-66-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1688-67-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1688-68-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1688-69-0x0000000000400000-0x000000000046D000-memory.dmp