Malware Analysis Report

2025-04-14 08:25

Sample ID 211102-jm5rdscac8
Target PO-NOVERMBER-877899PDF.js
SHA256 ee0073705af75336561ad765f570b06762c14ecbc0d67edb538eab2ac2884ba2
Tags
nanocore wshrat keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee0073705af75336561ad765f570b06762c14ecbc0d67edb538eab2ac2884ba2

Threat Level: Known bad

The file PO-NOVERMBER-877899PDF.js was found to be: Known bad.

Malicious Activity Summary

nanocore wshrat keylogger persistence spyware stealer trojan

WSHRAT

WSHRAT Payload

NanoCore

Executes dropped EXE

Blocklisted process makes network request

Drops startup file

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-11-02 07:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-11-02 07:48

Reported

2021-11-02 07:50

Platform

win7-en-20211014

Max time kernel

156s

Max time network

144s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\PO-NOVERMBER-877899PDF.js

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

WSHRAT

trojan wshrat

WSHRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs C:\Windows\SysWOW64\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 932 set thread context of 1244 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1064 set thread context of 1588 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1628 set thread context of 1136 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1544 set thread context of 1620 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1484 set thread context of 564 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1840 set thread context of 932 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 620 set thread context of 888 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1076 set thread context of 1376 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1412 set thread context of 1596 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1176 set thread context of 1244 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1164 set thread context of 1628 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1388 set thread context of 2044 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1008 set thread context of 1636 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 912 set thread context of 1768 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1500 set thread context of 1664 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1796 set thread context of 308 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1700 set thread context of 324 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1892 set thread context of 984 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1640 set thread context of 592 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 820 set thread context of 856 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1164 set thread context of 276 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1556 set thread context of 1276 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 1480 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe
PID 1700 wrote to memory of 1480 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe
PID 1700 wrote to memory of 1480 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe
PID 1700 wrote to memory of 1480 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe
PID 1480 wrote to memory of 932 N/A C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
PID 1480 wrote to memory of 932 N/A C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
PID 1480 wrote to memory of 932 N/A C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
PID 1480 wrote to memory of 932 N/A C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
PID 932 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 932 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 932 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 932 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 932 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 932 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 932 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 932 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 932 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1244 wrote to memory of 108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1244 wrote to memory of 108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1244 wrote to memory of 108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1244 wrote to memory of 108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 932 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\SysWOW64\WScript.exe
PID 932 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\SysWOW64\WScript.exe
PID 932 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\SysWOW64\WScript.exe
PID 932 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\SysWOW64\WScript.exe
PID 1416 wrote to memory of 1064 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
PID 1416 wrote to memory of 1064 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
PID 1416 wrote to memory of 1064 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
PID 1416 wrote to memory of 1064 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
PID 1064 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1064 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1064 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1064 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1064 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1064 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1064 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1064 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1064 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1588 wrote to memory of 1704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1588 wrote to memory of 1704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1588 wrote to memory of 1704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1588 wrote to memory of 1704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1064 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\SysWOW64\WScript.exe
PID 1064 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\SysWOW64\WScript.exe
PID 1064 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\SysWOW64\WScript.exe
PID 1064 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\SysWOW64\WScript.exe
PID 1556 wrote to memory of 1628 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
PID 1556 wrote to memory of 1628 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
PID 1556 wrote to memory of 1628 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
PID 1556 wrote to memory of 1628 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
PID 1628 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1628 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1628 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1628 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1628 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1628 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1628 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1628 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1628 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1136 wrote to memory of 1292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1136 wrote to memory of 1292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1136 wrote to memory of 1292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1136 wrote to memory of 1292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1628 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif C:\Windows\SysWOW64\WScript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\PO-NOVERMBER-877899PDF.js

C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe

"C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe"

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\OPAFu.vbs

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 308 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 276 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 580

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 concideritdone.duckdns.org udp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp

Files

memory/1480-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe

MD5 28d30de145c8793755f1bfdf99ea932f
SHA1 aba0383ec8e41f7c2f9f24f7459dd9d0ba72683f
SHA256 9fc38110b27faec17d95668a9c43961bb3784e89b414c67256c48d54df2ef57f
SHA512 00c6ea5ad54b15416cc24a50ffc4d311d310cb12269cde343821b5d46f6d6f26d3eb755ba71cc56d2c5f32c486ec79d9951edc0b79be37a9e8f0ea3a16981c82

memory/1480-57-0x00000000757E1000-0x00000000757E3000-memory.dmp

C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe

MD5 28d30de145c8793755f1bfdf99ea932f
SHA1 aba0383ec8e41f7c2f9f24f7459dd9d0ba72683f
SHA256 9fc38110b27faec17d95668a9c43961bb3784e89b414c67256c48d54df2ef57f
SHA512 00c6ea5ad54b15416cc24a50ffc4d311d310cb12269cde343821b5d46f6d6f26d3eb755ba71cc56d2c5f32c486ec79d9951edc0b79be37a9e8f0ea3a16981c82

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/932-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\Users\Admin\AppData\Local\Temp\36105202\itrmmetww.rmo

MD5 13a98011d9ff991f3443efa8e008a971
SHA1 b36b50d4f32f734324892342a4cc4ccd9774f020
SHA256 cfb4c2a41937f49f6b0d572ba76d77ff6e430ff087e64d4c479b99c977ebcd76
SHA512 56a8d30ae22489b83b92a6d24004529482f4a0f4ab3977eab2b9881712ff85d2c0769b699017e67aaf42d846913a2fb127cb2ce9fe146093fbb1df8b1071fa29

C:\Users\Admin\AppData\Local\Temp\36105202\lsdrdpf.ico

MD5 d3aa3eecb766efc7b4401de9b615e6de
SHA1 9b7adeb496079a70be18c7d8d367c717b6224592
SHA256 b9ea29536049be3b92e7d5c6b53c5069e9783d1d62167a151dc850392d9f0d66
SHA512 754873742c33179dfa4a7da32d8e81dfd8d780fe54b64af5ddc44964edcc612563b185b984286bfbc2bdaded9ad6ec741b060991b205b273a9a786f99824ae84

C:\Users\Admin\AppData\Local\Temp\36105202\rootanp.gnw

MD5 fe3a591edaa70aeb6d06c5c99a17db90
SHA1 9e239fc6292e2cc4cf07a3af6882542938f83803
SHA256 036f4ef2448565615cfde93e58269b734c6384f63fd5b3828b214500dfda506b
SHA512 04649de2db3216657d4bc6e844e396deb53fec11089b43733725cb6ec895f1c9f6c709a3a7cfd7b78b2eb664c52e2f996ad363d0af5bfdca77718563293e658b

memory/1244-69-0x0000000000440000-0x0000000000A20000-memory.dmp

memory/1244-70-0x0000000000440000-0x0000000000A20000-memory.dmp

memory/1244-71-0x00000000004C42AE-mapping.dmp

memory/1244-72-0x0000000000440000-0x0000000000A20000-memory.dmp

memory/108-74-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\OPAFu.vbs

MD5 952b1cbd78885f81760a77dc3b453fd3
SHA1 4af75b46620b063fc23652c3ecaa3b4081074572
SHA256 fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d
SHA512 1d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837

memory/1416-77-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs

MD5 67a841ed4f66a7d8b95dd5d7ab2591ad
SHA1 bb9c2f9f51f51f99961c0668849a982713393fdf
SHA256 1ef2240286de9a72830e58da22962e40a1522e5e4d3a6aa7609ef4c00d5a2068
SHA512 7d24f39c4ab2f1a0414886ac581b8de019cd3089edd7eca62b7f128de78a0b27daa84f1ae2969eb5c14dc310fe02411ad9499211e3abb298d52e01b953865c66

memory/1064-82-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1588-85-0x00000000003E0000-0x0000000000B02000-memory.dmp

memory/1588-86-0x00000000003E0000-0x0000000000B02000-memory.dmp

memory/1588-87-0x00000000004642AE-mapping.dmp

memory/1588-88-0x00000000003E0000-0x0000000000B02000-memory.dmp

memory/1704-90-0x0000000000000000-mapping.dmp

memory/1556-91-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1628-94-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1136-97-0x00000000003A0000-0x00000000009C4000-memory.dmp

memory/1136-98-0x00000000003A0000-0x00000000009C4000-memory.dmp

memory/1136-99-0x00000000004242AE-mapping.dmp

memory/1136-100-0x00000000003A0000-0x00000000009C4000-memory.dmp

memory/1292-102-0x0000000000000000-mapping.dmp

memory/756-103-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1544-106-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1620-109-0x0000000000260000-0x0000000000778000-memory.dmp

memory/1620-110-0x0000000000260000-0x0000000000778000-memory.dmp

memory/1620-111-0x00000000002E42AE-mapping.dmp

memory/1620-112-0x0000000000260000-0x0000000000778000-memory.dmp

memory/1588-114-0x0000000000000000-mapping.dmp

memory/1908-115-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1484-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/564-121-0x0000000000310000-0x0000000000910000-memory.dmp

memory/564-122-0x0000000000310000-0x0000000000910000-memory.dmp

memory/564-123-0x00000000003942AE-mapping.dmp

memory/564-124-0x0000000000310000-0x0000000000910000-memory.dmp

memory/2044-126-0x0000000000000000-mapping.dmp

memory/1376-127-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1840-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/932-133-0x0000000000380000-0x00000000008A9000-memory.dmp

memory/932-134-0x0000000000380000-0x00000000008A9000-memory.dmp

memory/932-135-0x00000000004042AE-mapping.dmp

memory/932-136-0x0000000000380000-0x00000000008A9000-memory.dmp

memory/1080-138-0x0000000000000000-mapping.dmp

memory/1704-139-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/620-142-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/888-145-0x0000000000390000-0x000000000086F000-memory.dmp

memory/888-146-0x0000000000390000-0x000000000086F000-memory.dmp

memory/888-147-0x00000000004142AE-mapping.dmp

memory/888-148-0x0000000000390000-0x000000000086F000-memory.dmp

memory/1656-150-0x0000000000000000-mapping.dmp

memory/1964-151-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1076-154-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1376-157-0x0000000000360000-0x0000000000917000-memory.dmp

memory/1376-158-0x0000000000360000-0x0000000000917000-memory.dmp

memory/1376-159-0x00000000003E42AE-mapping.dmp

memory/1376-160-0x0000000000360000-0x0000000000917000-memory.dmp

memory/1740-162-0x0000000000000000-mapping.dmp

memory/1768-163-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1412-166-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1596-169-0x0000000000300000-0x0000000000A42000-memory.dmp

memory/1596-170-0x0000000000300000-0x0000000000A42000-memory.dmp

memory/1596-171-0x00000000003842AE-mapping.dmp

memory/1596-172-0x0000000000300000-0x0000000000A42000-memory.dmp

memory/756-174-0x0000000000000000-mapping.dmp

memory/1488-175-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1176-178-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1244-181-0x00000000003F0000-0x00000000009C3000-memory.dmp

memory/1244-182-0x00000000003F0000-0x00000000009C3000-memory.dmp

memory/1244-183-0x00000000004742AE-mapping.dmp

memory/1244-184-0x00000000003F0000-0x00000000009C3000-memory.dmp

memory/1556-186-0x0000000000000000-mapping.dmp

memory/1416-187-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1164-190-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1628-193-0x0000000000270000-0x0000000000766000-memory.dmp

memory/1628-195-0x00000000002F42AE-mapping.dmp

memory/1156-198-0x0000000000000000-mapping.dmp

memory/1052-199-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1388-202-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/2044-207-0x00000000004142AE-mapping.dmp

memory/1624-210-0x0000000000000000-mapping.dmp

memory/1132-211-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1008-214-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1636-219-0x00000000005342AE-mapping.dmp

memory/556-222-0x0000000000000000-mapping.dmp

memory/304-223-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/912-226-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1768-231-0x00000000004F42AE-mapping.dmp

memory/1316-234-0x0000000000000000-mapping.dmp

memory/1052-235-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1500-238-0x0000000000000000-mapping.dmp

memory/1664-243-0x00000000005442AE-mapping.dmp

memory/848-246-0x0000000000000000-mapping.dmp

memory/1244-247-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1796-250-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/308-255-0x00000000003642AE-mapping.dmp

memory/956-258-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

Analysis: behavioral2

Detonation Overview

Submitted

2021-11-02 07:48

Reported

2021-11-02 07:50

Platform

win10-en-20210920

Max time kernel

121s

Max time network

127s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\PO-NOVERMBER-877899PDF.js

Signatures

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\PO-NOVERMBER-877899PDF.js

C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe

"C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe"

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo

Network

Country Destination Domain Proto
US 8.8.8.8:53 sv.symcb.com udp
US 93.184.220.29:80 sv.symcb.com tcp
US 8.8.8.8:53 s.symcb.com udp
US 72.21.91.29:80 s.symcb.com tcp
US 8.8.8.8:53 ts-crl.ws.symantec.com udp
US 72.21.91.29:80 ts-crl.ws.symantec.com tcp
US 93.184.220.29:80 sv.symcb.com tcp
US 93.184.220.29:80 sv.symcb.com tcp

Files

memory/2272-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe

MD5 28d30de145c8793755f1bfdf99ea932f
SHA1 aba0383ec8e41f7c2f9f24f7459dd9d0ba72683f
SHA256 9fc38110b27faec17d95668a9c43961bb3784e89b414c67256c48d54df2ef57f
SHA512 00c6ea5ad54b15416cc24a50ffc4d311d310cb12269cde343821b5d46f6d6f26d3eb755ba71cc56d2c5f32c486ec79d9951edc0b79be37a9e8f0ea3a16981c82

C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe

MD5 28d30de145c8793755f1bfdf99ea932f
SHA1 aba0383ec8e41f7c2f9f24f7459dd9d0ba72683f
SHA256 9fc38110b27faec17d95668a9c43961bb3784e89b414c67256c48d54df2ef57f
SHA512 00c6ea5ad54b15416cc24a50ffc4d311d310cb12269cde343821b5d46f6d6f26d3eb755ba71cc56d2c5f32c486ec79d9951edc0b79be37a9e8f0ea3a16981c82

memory/3920-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba