Analysis Overview
SHA256
ee0073705af75336561ad765f570b06762c14ecbc0d67edb538eab2ac2884ba2
Threat Level: Known bad
The file PO-NOVERMBER-877899PDF.js was found to be: Known bad.
Malicious Activity Summary
WSHRAT
WSHRAT Payload
NanoCore
Executes dropped EXE
Blocklisted process makes network request
Drops startup file
Loads dropped DLL
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-11-02 07:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-11-02 07:48
Reported
2021-11-02 07:50
Platform
win7-en-20211014
Max time kernel
156s
Max time network
144s
Command Line
Signatures
NanoCore
WSHRAT
WSHRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Executes dropped EXE
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPAFu.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\OPAFu = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OPAFu.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\pfouh.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\36105202\\ITRMME~1.RMO" | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\PO-NOVERMBER-877899PDF.js
C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe
"C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe"
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\OPAFu.vbs
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 308 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 276 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 580
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | concideritdone.duckdns.org | udp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
Files
memory/1480-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe
| MD5 | 28d30de145c8793755f1bfdf99ea932f |
| SHA1 | aba0383ec8e41f7c2f9f24f7459dd9d0ba72683f |
| SHA256 | 9fc38110b27faec17d95668a9c43961bb3784e89b414c67256c48d54df2ef57f |
| SHA512 | 00c6ea5ad54b15416cc24a50ffc4d311d310cb12269cde343821b5d46f6d6f26d3eb755ba71cc56d2c5f32c486ec79d9951edc0b79be37a9e8f0ea3a16981c82 |
memory/1480-57-0x00000000757E1000-0x00000000757E3000-memory.dmp
C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe
| MD5 | 28d30de145c8793755f1bfdf99ea932f |
| SHA1 | aba0383ec8e41f7c2f9f24f7459dd9d0ba72683f |
| SHA256 | 9fc38110b27faec17d95668a9c43961bb3784e89b414c67256c48d54df2ef57f |
| SHA512 | 00c6ea5ad54b15416cc24a50ffc4d311d310cb12269cde343821b5d46f6d6f26d3eb755ba71cc56d2c5f32c486ec79d9951edc0b79be37a9e8f0ea3a16981c82 |
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/932-63-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\Users\Admin\AppData\Local\Temp\36105202\itrmmetww.rmo
| MD5 | 13a98011d9ff991f3443efa8e008a971 |
| SHA1 | b36b50d4f32f734324892342a4cc4ccd9774f020 |
| SHA256 | cfb4c2a41937f49f6b0d572ba76d77ff6e430ff087e64d4c479b99c977ebcd76 |
| SHA512 | 56a8d30ae22489b83b92a6d24004529482f4a0f4ab3977eab2b9881712ff85d2c0769b699017e67aaf42d846913a2fb127cb2ce9fe146093fbb1df8b1071fa29 |
C:\Users\Admin\AppData\Local\Temp\36105202\lsdrdpf.ico
| MD5 | d3aa3eecb766efc7b4401de9b615e6de |
| SHA1 | 9b7adeb496079a70be18c7d8d367c717b6224592 |
| SHA256 | b9ea29536049be3b92e7d5c6b53c5069e9783d1d62167a151dc850392d9f0d66 |
| SHA512 | 754873742c33179dfa4a7da32d8e81dfd8d780fe54b64af5ddc44964edcc612563b185b984286bfbc2bdaded9ad6ec741b060991b205b273a9a786f99824ae84 |
C:\Users\Admin\AppData\Local\Temp\36105202\rootanp.gnw
| MD5 | fe3a591edaa70aeb6d06c5c99a17db90 |
| SHA1 | 9e239fc6292e2cc4cf07a3af6882542938f83803 |
| SHA256 | 036f4ef2448565615cfde93e58269b734c6384f63fd5b3828b214500dfda506b |
| SHA512 | 04649de2db3216657d4bc6e844e396deb53fec11089b43733725cb6ec895f1c9f6c709a3a7cfd7b78b2eb664c52e2f996ad363d0af5bfdca77718563293e658b |
memory/1244-69-0x0000000000440000-0x0000000000A20000-memory.dmp
memory/1244-70-0x0000000000440000-0x0000000000A20000-memory.dmp
memory/1244-71-0x00000000004C42AE-mapping.dmp
memory/1244-72-0x0000000000440000-0x0000000000A20000-memory.dmp
memory/108-74-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\OPAFu.vbs
| MD5 | 952b1cbd78885f81760a77dc3b453fd3 |
| SHA1 | 4af75b46620b063fc23652c3ecaa3b4081074572 |
| SHA256 | fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d |
| SHA512 | 1d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837 |
memory/1416-77-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\36105202\run.vbs
| MD5 | 67a841ed4f66a7d8b95dd5d7ab2591ad |
| SHA1 | bb9c2f9f51f51f99961c0668849a982713393fdf |
| SHA256 | 1ef2240286de9a72830e58da22962e40a1522e5e4d3a6aa7609ef4c00d5a2068 |
| SHA512 | 7d24f39c4ab2f1a0414886ac581b8de019cd3089edd7eca62b7f128de78a0b27daa84f1ae2969eb5c14dc310fe02411ad9499211e3abb298d52e01b953865c66 |
memory/1064-82-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1588-85-0x00000000003E0000-0x0000000000B02000-memory.dmp
memory/1588-86-0x00000000003E0000-0x0000000000B02000-memory.dmp
memory/1588-87-0x00000000004642AE-mapping.dmp
memory/1588-88-0x00000000003E0000-0x0000000000B02000-memory.dmp
memory/1704-90-0x0000000000000000-mapping.dmp
memory/1556-91-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1628-94-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1136-97-0x00000000003A0000-0x00000000009C4000-memory.dmp
memory/1136-98-0x00000000003A0000-0x00000000009C4000-memory.dmp
memory/1136-99-0x00000000004242AE-mapping.dmp
memory/1136-100-0x00000000003A0000-0x00000000009C4000-memory.dmp
memory/1292-102-0x0000000000000000-mapping.dmp
memory/756-103-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1544-106-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1620-109-0x0000000000260000-0x0000000000778000-memory.dmp
memory/1620-110-0x0000000000260000-0x0000000000778000-memory.dmp
memory/1620-111-0x00000000002E42AE-mapping.dmp
memory/1620-112-0x0000000000260000-0x0000000000778000-memory.dmp
memory/1588-114-0x0000000000000000-mapping.dmp
memory/1908-115-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1484-118-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/564-121-0x0000000000310000-0x0000000000910000-memory.dmp
memory/564-122-0x0000000000310000-0x0000000000910000-memory.dmp
memory/564-123-0x00000000003942AE-mapping.dmp
memory/564-124-0x0000000000310000-0x0000000000910000-memory.dmp
memory/2044-126-0x0000000000000000-mapping.dmp
memory/1376-127-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1840-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/932-133-0x0000000000380000-0x00000000008A9000-memory.dmp
memory/932-134-0x0000000000380000-0x00000000008A9000-memory.dmp
memory/932-135-0x00000000004042AE-mapping.dmp
memory/932-136-0x0000000000380000-0x00000000008A9000-memory.dmp
memory/1080-138-0x0000000000000000-mapping.dmp
memory/1704-139-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/620-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/888-145-0x0000000000390000-0x000000000086F000-memory.dmp
memory/888-146-0x0000000000390000-0x000000000086F000-memory.dmp
memory/888-147-0x00000000004142AE-mapping.dmp
memory/888-148-0x0000000000390000-0x000000000086F000-memory.dmp
memory/1656-150-0x0000000000000000-mapping.dmp
memory/1964-151-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1076-154-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1376-157-0x0000000000360000-0x0000000000917000-memory.dmp
memory/1376-158-0x0000000000360000-0x0000000000917000-memory.dmp
memory/1376-159-0x00000000003E42AE-mapping.dmp
memory/1376-160-0x0000000000360000-0x0000000000917000-memory.dmp
memory/1740-162-0x0000000000000000-mapping.dmp
memory/1768-163-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1412-166-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1596-169-0x0000000000300000-0x0000000000A42000-memory.dmp
memory/1596-170-0x0000000000300000-0x0000000000A42000-memory.dmp
memory/1596-171-0x00000000003842AE-mapping.dmp
memory/1596-172-0x0000000000300000-0x0000000000A42000-memory.dmp
memory/756-174-0x0000000000000000-mapping.dmp
memory/1488-175-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1176-178-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1244-181-0x00000000003F0000-0x00000000009C3000-memory.dmp
memory/1244-182-0x00000000003F0000-0x00000000009C3000-memory.dmp
memory/1244-183-0x00000000004742AE-mapping.dmp
memory/1244-184-0x00000000003F0000-0x00000000009C3000-memory.dmp
memory/1556-186-0x0000000000000000-mapping.dmp
memory/1416-187-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1164-190-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1628-193-0x0000000000270000-0x0000000000766000-memory.dmp
memory/1628-195-0x00000000002F42AE-mapping.dmp
memory/1156-198-0x0000000000000000-mapping.dmp
memory/1052-199-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1388-202-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/2044-207-0x00000000004142AE-mapping.dmp
memory/1624-210-0x0000000000000000-mapping.dmp
memory/1132-211-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1008-214-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1636-219-0x00000000005342AE-mapping.dmp
memory/556-222-0x0000000000000000-mapping.dmp
memory/304-223-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/912-226-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1768-231-0x00000000004F42AE-mapping.dmp
memory/1316-234-0x0000000000000000-mapping.dmp
memory/1052-235-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1500-238-0x0000000000000000-mapping.dmp
memory/1664-243-0x00000000005442AE-mapping.dmp
memory/848-246-0x0000000000000000-mapping.dmp
memory/1244-247-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1796-250-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/308-255-0x00000000003642AE-mapping.dmp
memory/956-258-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
Analysis: behavioral2
Detonation Overview
Submitted
2021-11-02 07:48
Reported
2021-11-02 07:50
Platform
win10-en-20210920
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1976 wrote to memory of 2272 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe |
| PID 1976 wrote to memory of 2272 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe |
| PID 1976 wrote to memory of 2272 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe |
| PID 2272 wrote to memory of 3920 | N/A | C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif |
| PID 2272 wrote to memory of 3920 | N/A | C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif |
| PID 2272 wrote to memory of 3920 | N/A | C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe | C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\PO-NOVERMBER-877899PDF.js
C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe
"C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe"
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
"C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif" itrmmetww.rmo
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sv.symcb.com | udp |
| US | 93.184.220.29:80 | sv.symcb.com | tcp |
| US | 8.8.8.8:53 | s.symcb.com | udp |
| US | 72.21.91.29:80 | s.symcb.com | tcp |
| US | 8.8.8.8:53 | ts-crl.ws.symantec.com | udp |
| US | 72.21.91.29:80 | ts-crl.ws.symantec.com | tcp |
| US | 93.184.220.29:80 | sv.symcb.com | tcp |
| US | 93.184.220.29:80 | sv.symcb.com | tcp |
Files
memory/2272-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe
| MD5 | 28d30de145c8793755f1bfdf99ea932f |
| SHA1 | aba0383ec8e41f7c2f9f24f7459dd9d0ba72683f |
| SHA256 | 9fc38110b27faec17d95668a9c43961bb3784e89b414c67256c48d54df2ef57f |
| SHA512 | 00c6ea5ad54b15416cc24a50ffc4d311d310cb12269cde343821b5d46f6d6f26d3eb755ba71cc56d2c5f32c486ec79d9951edc0b79be37a9e8f0ea3a16981c82 |
C:\Users\Admin\AppData\Roaming\PO-NOVERMBER-877899PDF.exe
| MD5 | 28d30de145c8793755f1bfdf99ea932f |
| SHA1 | aba0383ec8e41f7c2f9f24f7459dd9d0ba72683f |
| SHA256 | 9fc38110b27faec17d95668a9c43961bb3784e89b414c67256c48d54df2ef57f |
| SHA512 | 00c6ea5ad54b15416cc24a50ffc4d311d310cb12269cde343821b5d46f6d6f26d3eb755ba71cc56d2c5f32c486ec79d9951edc0b79be37a9e8f0ea3a16981c82 |
memory/3920-118-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\36105202\pfouh.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |