Malware Analysis Report

2025-04-14 08:27

Sample ID 211103-e7dfesdcb4
Target PO-UPDATE-99077-IMG.rar
SHA256 cfd064120d4082919fa594937dde69cf44c67975db874fa803e9221ced2fff88
Tags
nanocore wshrat keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cfd064120d4082919fa594937dde69cf44c67975db874fa803e9221ced2fff88

Threat Level: Known bad

The file PO-UPDATE-99077-IMG.rar was found to be: Known bad.

Malicious Activity Summary

nanocore wshrat keylogger persistence spyware stealer trojan

NanoCore

WSHRAT Payload

WSHRAT

Executes dropped EXE

Blocklisted process makes network request

Loads dropped DLL

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-11-03 04:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-11-03 04:34

Reported

2021-11-03 04:37

Platform

win7-en-20211014

Max time kernel

152s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

WSHRAT

trojan wshrat

WSHRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pLMHJ.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pLMHJ.vbs C:\Windows\SysWOW64\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\pLMHJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\pLMHJ.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pLMHJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\pLMHJ.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 368 set thread context of 1072 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1772 set thread context of 1724 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 760 set thread context of 1104 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1200 set thread context of 924 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1596 set thread context of 1772 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1532 set thread context of 1160 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 568 set thread context of 1592 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 988 set thread context of 1572 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 616 set thread context of 1636 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2024 set thread context of 1808 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1160 set thread context of 1076 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1584 set thread context of 616 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1572 set thread context of 1580 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1508 set thread context of 1712 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1568 set thread context of 952 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1544 set thread context of 2016 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 888 set thread context of 1684 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1740 set thread context of 912 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1688 set thread context of 588 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1596 set thread context of 808 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 952 set thread context of 1360 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1700 set thread context of 1484 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1508 set thread context of 1488 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 924 set thread context of 820 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1348 set thread context of 1712 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 740 set thread context of 668 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1200 set thread context of 988 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 984 set thread context of 860 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 320 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 320 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 320 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 320 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 368 wrote to memory of 1072 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 368 wrote to memory of 1072 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 368 wrote to memory of 1072 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 368 wrote to memory of 1072 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 368 wrote to memory of 1072 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 368 wrote to memory of 1072 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 368 wrote to memory of 1072 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 368 wrote to memory of 1072 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 368 wrote to memory of 1072 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1072 wrote to memory of 1096 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1072 wrote to memory of 1096 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1072 wrote to memory of 1096 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1072 wrote to memory of 1096 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 368 wrote to memory of 1532 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 368 wrote to memory of 1532 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 368 wrote to memory of 1532 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 368 wrote to memory of 1532 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1532 wrote to memory of 1772 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1532 wrote to memory of 1772 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1532 wrote to memory of 1772 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1532 wrote to memory of 1772 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1772 wrote to memory of 1724 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1772 wrote to memory of 1724 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1772 wrote to memory of 1724 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1772 wrote to memory of 1724 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1772 wrote to memory of 1724 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1772 wrote to memory of 1724 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1772 wrote to memory of 1724 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1772 wrote to memory of 1724 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1772 wrote to memory of 1724 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1724 wrote to memory of 1520 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1724 wrote to memory of 1520 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1724 wrote to memory of 1520 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1724 wrote to memory of 1520 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1772 wrote to memory of 2040 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1772 wrote to memory of 2040 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1772 wrote to memory of 2040 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1772 wrote to memory of 2040 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 2040 wrote to memory of 760 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 2040 wrote to memory of 760 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 2040 wrote to memory of 760 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 2040 wrote to memory of 760 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 760 wrote to memory of 1104 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 760 wrote to memory of 1104 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 760 wrote to memory of 1104 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 760 wrote to memory of 1104 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 760 wrote to memory of 1104 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 760 wrote to memory of 1104 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 760 wrote to memory of 1104 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 760 wrote to memory of 1104 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 760 wrote to memory of 1104 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1104 wrote to memory of 1468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1104 wrote to memory of 1468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1104 wrote to memory of 1468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1104 wrote to memory of 1468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 760 wrote to memory of 2036 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 760 wrote to memory of 2036 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 760 wrote to memory of 2036 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 760 wrote to memory of 2036 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 2036 wrote to memory of 1200 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif

Processes

C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe

"C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\pLMHJ.vbs

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 580

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 588 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 concideritdone.duckdns.org udp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp

Files

memory/320-55-0x0000000076241000-0x0000000076243000-memory.dmp

\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/368-60-0x0000000000000000-mapping.dmp

C:\21691710\ajck.upw

MD5 388ed3b65c5a99b1c2f76efbefda97f6
SHA1 83a4d9e2a0b577e09e30614664db2c198c7f5300
SHA256 4a0868d349288c62ccd9b06237ea24b3bde932cff05a6a60f44df1a189c399b0
SHA512 81d3077fcf8598ae68b1727decbfdc3d0afd9aca789bcfef387f491582a91289a1118221aca4f4da9ae280adf669b28ee0aa62318521f5d8238894b271a36367

C:\21691710\libqgfu.cpl

MD5 3bdfb69e0871a10905b481d4b7d4fe5c
SHA1 642f4dfebaff6877a55cd39e35e8e72c02c346d6
SHA256 2b64a2310605440c8c3ce0b870e2d3eb641adb3a7cd3526a355dfc9390ead717
SHA512 e5dfab087d7e2f83182353453280a482968cd418a070421fe1733a6ccd0f9ae040ff6be0c101e846eb8147976138e6e584092da93ea9a2747667283520b06f5c

C:\21691710\dwevhxk.nbk

MD5 5295e3beaa081798b0709d5fc3a45531
SHA1 7c3ac34ea24f0852b502362c06238cdcceca7bd2
SHA256 9e13e97ec5fb6cd2c1579a107e855434797d5d67e5f6562b9ac4f4afd76ff53c
SHA512 60a4b3cdea899bde612e57d68b236999d1fe45fe39c0a027d3a44d4117632d0654babe0577576367beca8298f95ebe72750b01d43296bdfa85abcdb2cc219007

memory/1072-66-0x0000000000850000-0x0000000000F8D000-memory.dmp

memory/1072-67-0x0000000000850000-0x0000000000F8D000-memory.dmp

memory/1072-68-0x00000000008D42AE-mapping.dmp

memory/1072-69-0x0000000000850000-0x0000000000F8D000-memory.dmp

memory/1096-71-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\pLMHJ.vbs

MD5 952b1cbd78885f81760a77dc3b453fd3
SHA1 4af75b46620b063fc23652c3ecaa3b4081074572
SHA256 fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d
SHA512 1d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837

memory/1532-74-0x0000000000000000-mapping.dmp

C:\21691710\run.vbs

MD5 8aef82a3c67b60d3a500008a4979000c
SHA1 3f28c9644306d934b010e72fed6fbe04680cfbf8
SHA256 6897a2bb61cf3de4997d321656075234b6c3eebef593196d8d5296c55d0e6fda
SHA512 16e17c19a388774174656523b327bf1e4c4246c77f42e8910b1faf740129d819834c507d3c44bb8adf82cb123a5689dcc70be756f95a9a54415233a02ddca842

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1772-78-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1724-81-0x0000000000270000-0x00000000008F6000-memory.dmp

memory/1724-82-0x0000000000270000-0x00000000008F6000-memory.dmp

memory/1724-83-0x00000000002F42AE-mapping.dmp

memory/1724-84-0x0000000000270000-0x00000000008F6000-memory.dmp

memory/1520-86-0x0000000000000000-mapping.dmp

memory/2040-87-0x0000000000000000-mapping.dmp

memory/760-89-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1104-92-0x0000000000400000-0x0000000000B56000-memory.dmp

memory/1104-93-0x0000000000400000-0x0000000000B56000-memory.dmp

memory/1104-94-0x00000000004842AE-mapping.dmp

memory/1104-95-0x0000000000400000-0x0000000000B56000-memory.dmp

memory/1468-97-0x0000000000000000-mapping.dmp

memory/2036-98-0x0000000000000000-mapping.dmp

memory/1200-100-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/924-103-0x0000000000410000-0x0000000000A36000-memory.dmp

memory/924-104-0x0000000000410000-0x0000000000A36000-memory.dmp

memory/924-105-0x00000000004942AE-mapping.dmp

memory/924-106-0x0000000000410000-0x0000000000A36000-memory.dmp

memory/880-108-0x0000000000000000-mapping.dmp

memory/1724-109-0x0000000000000000-mapping.dmp

memory/1596-111-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1772-114-0x00000000009B0000-0x0000000001043000-memory.dmp

memory/1772-115-0x00000000009B0000-0x0000000001043000-memory.dmp

memory/1772-116-0x0000000000A342AE-mapping.dmp

memory/1772-117-0x00000000009B0000-0x0000000001043000-memory.dmp

memory/1540-119-0x0000000000000000-mapping.dmp

memory/432-120-0x0000000000000000-mapping.dmp

memory/1532-122-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1160-125-0x0000000000250000-0x00000000007B9000-memory.dmp

memory/1160-126-0x0000000000250000-0x00000000007B9000-memory.dmp

memory/1160-127-0x00000000002D42AE-mapping.dmp

memory/1160-128-0x0000000000250000-0x00000000007B9000-memory.dmp

memory/968-130-0x0000000000000000-mapping.dmp

memory/1076-131-0x0000000000000000-mapping.dmp

memory/568-133-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1592-136-0x0000000000350000-0x0000000000861000-memory.dmp

memory/1592-137-0x0000000000350000-0x0000000000861000-memory.dmp

memory/1592-138-0x00000000003D42AE-mapping.dmp

memory/1592-139-0x0000000000350000-0x0000000000861000-memory.dmp

memory/740-141-0x0000000000000000-mapping.dmp

memory/1772-142-0x0000000000000000-mapping.dmp

memory/988-144-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1572-147-0x0000000000340000-0x00000000008D5000-memory.dmp

memory/1572-148-0x0000000000340000-0x00000000008D5000-memory.dmp

memory/1572-149-0x00000000003C42AE-mapping.dmp

memory/1572-150-0x0000000000340000-0x00000000008D5000-memory.dmp

memory/760-152-0x0000000000000000-mapping.dmp

memory/924-153-0x0000000000000000-mapping.dmp

memory/616-155-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1636-158-0x0000000000410000-0x0000000000AB5000-memory.dmp

memory/1636-159-0x0000000000410000-0x0000000000AB5000-memory.dmp

memory/1636-160-0x00000000004942AE-mapping.dmp

memory/1636-161-0x0000000000410000-0x0000000000AB5000-memory.dmp

memory/2012-163-0x0000000000000000-mapping.dmp

memory/1664-164-0x0000000000000000-mapping.dmp

memory/2024-166-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1808-169-0x00000000002C0000-0x000000000084D000-memory.dmp

memory/1808-170-0x00000000002C0000-0x000000000084D000-memory.dmp

memory/1808-171-0x00000000003442AE-mapping.dmp

memory/1808-172-0x00000000002C0000-0x000000000084D000-memory.dmp

memory/1684-174-0x0000000000000000-mapping.dmp

memory/1620-175-0x0000000000000000-mapping.dmp

memory/1160-177-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1076-180-0x0000000000260000-0x0000000000760000-memory.dmp

memory/1076-182-0x00000000002E42AE-mapping.dmp

memory/2032-185-0x0000000000000000-mapping.dmp

memory/1820-186-0x0000000000000000-mapping.dmp

memory/1584-188-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/616-193-0x00000000005042AE-mapping.dmp

memory/1780-196-0x0000000000000000-mapping.dmp

memory/740-197-0x0000000000000000-mapping.dmp

memory/1572-199-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1580-204-0x00000000004E42AE-mapping.dmp

memory/1388-207-0x0000000000000000-mapping.dmp

memory/1612-208-0x0000000000000000-mapping.dmp

memory/1508-210-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1712-215-0x00000000003742AE-mapping.dmp

memory/1532-218-0x0000000000000000-mapping.dmp

memory/1596-219-0x0000000000000000-mapping.dmp

memory/1568-221-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/952-226-0x00000000003942AE-mapping.dmp

memory/892-229-0x0000000000000000-mapping.dmp

memory/1204-230-0x0000000000000000-mapping.dmp

memory/1544-232-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/2016-237-0x00000000005942AE-mapping.dmp

memory/1780-240-0x0000000000000000-mapping.dmp

memory/1364-241-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

Analysis: behavioral2

Detonation Overview

Submitted

2021-11-03 04:34

Reported

2021-11-03 04:37

Platform

win10-en-20211014

Max time kernel

110s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\21691710\deakoc.pif N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 2176 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 2176 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif

Processes

C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe

"C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

Network

Country Destination Domain Proto
US 8.8.8.8:53 time.windows.com udp
NL 40.119.148.38:123 time.windows.com udp

Files

memory/3336-115-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba