Analysis Overview
SHA256
cfd064120d4082919fa594937dde69cf44c67975db874fa803e9221ced2fff88
Threat Level: Known bad
The file PO-UPDATE-99077-IMG.rar was found to be: Known bad.
Malicious Activity Summary
NanoCore
WSHRAT Payload
WSHRAT
Executes dropped EXE
Blocklisted process makes network request
Loads dropped DLL
Drops startup file
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-11-03 04:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-11-03 04:34
Reported
2021-11-03 04:37
Platform
win7-en-20211014
Max time kernel
152s
Max time network
149s
Command Line
Signatures
NanoCore
WSHRAT
WSHRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Executes dropped EXE
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pLMHJ.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pLMHJ.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\pLMHJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\pLMHJ.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pLMHJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\pLMHJ.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe
"C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\pLMHJ.vbs
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 580
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 588 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | concideritdone.duckdns.org | udp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
Files
memory/320-55-0x0000000076241000-0x0000000076243000-memory.dmp
\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/368-60-0x0000000000000000-mapping.dmp
C:\21691710\ajck.upw
| MD5 | 388ed3b65c5a99b1c2f76efbefda97f6 |
| SHA1 | 83a4d9e2a0b577e09e30614664db2c198c7f5300 |
| SHA256 | 4a0868d349288c62ccd9b06237ea24b3bde932cff05a6a60f44df1a189c399b0 |
| SHA512 | 81d3077fcf8598ae68b1727decbfdc3d0afd9aca789bcfef387f491582a91289a1118221aca4f4da9ae280adf669b28ee0aa62318521f5d8238894b271a36367 |
C:\21691710\libqgfu.cpl
| MD5 | 3bdfb69e0871a10905b481d4b7d4fe5c |
| SHA1 | 642f4dfebaff6877a55cd39e35e8e72c02c346d6 |
| SHA256 | 2b64a2310605440c8c3ce0b870e2d3eb641adb3a7cd3526a355dfc9390ead717 |
| SHA512 | e5dfab087d7e2f83182353453280a482968cd418a070421fe1733a6ccd0f9ae040ff6be0c101e846eb8147976138e6e584092da93ea9a2747667283520b06f5c |
C:\21691710\dwevhxk.nbk
| MD5 | 5295e3beaa081798b0709d5fc3a45531 |
| SHA1 | 7c3ac34ea24f0852b502362c06238cdcceca7bd2 |
| SHA256 | 9e13e97ec5fb6cd2c1579a107e855434797d5d67e5f6562b9ac4f4afd76ff53c |
| SHA512 | 60a4b3cdea899bde612e57d68b236999d1fe45fe39c0a027d3a44d4117632d0654babe0577576367beca8298f95ebe72750b01d43296bdfa85abcdb2cc219007 |
memory/1072-66-0x0000000000850000-0x0000000000F8D000-memory.dmp
memory/1072-67-0x0000000000850000-0x0000000000F8D000-memory.dmp
memory/1072-68-0x00000000008D42AE-mapping.dmp
memory/1072-69-0x0000000000850000-0x0000000000F8D000-memory.dmp
memory/1096-71-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\pLMHJ.vbs
| MD5 | 952b1cbd78885f81760a77dc3b453fd3 |
| SHA1 | 4af75b46620b063fc23652c3ecaa3b4081074572 |
| SHA256 | fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d |
| SHA512 | 1d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837 |
memory/1532-74-0x0000000000000000-mapping.dmp
C:\21691710\run.vbs
| MD5 | 8aef82a3c67b60d3a500008a4979000c |
| SHA1 | 3f28c9644306d934b010e72fed6fbe04680cfbf8 |
| SHA256 | 6897a2bb61cf3de4997d321656075234b6c3eebef593196d8d5296c55d0e6fda |
| SHA512 | 16e17c19a388774174656523b327bf1e4c4246c77f42e8910b1faf740129d819834c507d3c44bb8adf82cb123a5689dcc70be756f95a9a54415233a02ddca842 |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1772-78-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1724-81-0x0000000000270000-0x00000000008F6000-memory.dmp
memory/1724-82-0x0000000000270000-0x00000000008F6000-memory.dmp
memory/1724-83-0x00000000002F42AE-mapping.dmp
memory/1724-84-0x0000000000270000-0x00000000008F6000-memory.dmp
memory/1520-86-0x0000000000000000-mapping.dmp
memory/2040-87-0x0000000000000000-mapping.dmp
memory/760-89-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1104-92-0x0000000000400000-0x0000000000B56000-memory.dmp
memory/1104-93-0x0000000000400000-0x0000000000B56000-memory.dmp
memory/1104-94-0x00000000004842AE-mapping.dmp
memory/1104-95-0x0000000000400000-0x0000000000B56000-memory.dmp
memory/1468-97-0x0000000000000000-mapping.dmp
memory/2036-98-0x0000000000000000-mapping.dmp
memory/1200-100-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/924-103-0x0000000000410000-0x0000000000A36000-memory.dmp
memory/924-104-0x0000000000410000-0x0000000000A36000-memory.dmp
memory/924-105-0x00000000004942AE-mapping.dmp
memory/924-106-0x0000000000410000-0x0000000000A36000-memory.dmp
memory/880-108-0x0000000000000000-mapping.dmp
memory/1724-109-0x0000000000000000-mapping.dmp
memory/1596-111-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1772-114-0x00000000009B0000-0x0000000001043000-memory.dmp
memory/1772-115-0x00000000009B0000-0x0000000001043000-memory.dmp
memory/1772-116-0x0000000000A342AE-mapping.dmp
memory/1772-117-0x00000000009B0000-0x0000000001043000-memory.dmp
memory/1540-119-0x0000000000000000-mapping.dmp
memory/432-120-0x0000000000000000-mapping.dmp
memory/1532-122-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1160-125-0x0000000000250000-0x00000000007B9000-memory.dmp
memory/1160-126-0x0000000000250000-0x00000000007B9000-memory.dmp
memory/1160-127-0x00000000002D42AE-mapping.dmp
memory/1160-128-0x0000000000250000-0x00000000007B9000-memory.dmp
memory/968-130-0x0000000000000000-mapping.dmp
memory/1076-131-0x0000000000000000-mapping.dmp
memory/568-133-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1592-136-0x0000000000350000-0x0000000000861000-memory.dmp
memory/1592-137-0x0000000000350000-0x0000000000861000-memory.dmp
memory/1592-138-0x00000000003D42AE-mapping.dmp
memory/1592-139-0x0000000000350000-0x0000000000861000-memory.dmp
memory/740-141-0x0000000000000000-mapping.dmp
memory/1772-142-0x0000000000000000-mapping.dmp
memory/988-144-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1572-147-0x0000000000340000-0x00000000008D5000-memory.dmp
memory/1572-148-0x0000000000340000-0x00000000008D5000-memory.dmp
memory/1572-149-0x00000000003C42AE-mapping.dmp
memory/1572-150-0x0000000000340000-0x00000000008D5000-memory.dmp
memory/760-152-0x0000000000000000-mapping.dmp
memory/924-153-0x0000000000000000-mapping.dmp
memory/616-155-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1636-158-0x0000000000410000-0x0000000000AB5000-memory.dmp
memory/1636-159-0x0000000000410000-0x0000000000AB5000-memory.dmp
memory/1636-160-0x00000000004942AE-mapping.dmp
memory/1636-161-0x0000000000410000-0x0000000000AB5000-memory.dmp
memory/2012-163-0x0000000000000000-mapping.dmp
memory/1664-164-0x0000000000000000-mapping.dmp
memory/2024-166-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1808-169-0x00000000002C0000-0x000000000084D000-memory.dmp
memory/1808-170-0x00000000002C0000-0x000000000084D000-memory.dmp
memory/1808-171-0x00000000003442AE-mapping.dmp
memory/1808-172-0x00000000002C0000-0x000000000084D000-memory.dmp
memory/1684-174-0x0000000000000000-mapping.dmp
memory/1620-175-0x0000000000000000-mapping.dmp
memory/1160-177-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1076-180-0x0000000000260000-0x0000000000760000-memory.dmp
memory/1076-182-0x00000000002E42AE-mapping.dmp
memory/2032-185-0x0000000000000000-mapping.dmp
memory/1820-186-0x0000000000000000-mapping.dmp
memory/1584-188-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/616-193-0x00000000005042AE-mapping.dmp
memory/1780-196-0x0000000000000000-mapping.dmp
memory/740-197-0x0000000000000000-mapping.dmp
memory/1572-199-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1580-204-0x00000000004E42AE-mapping.dmp
memory/1388-207-0x0000000000000000-mapping.dmp
memory/1612-208-0x0000000000000000-mapping.dmp
memory/1508-210-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1712-215-0x00000000003742AE-mapping.dmp
memory/1532-218-0x0000000000000000-mapping.dmp
memory/1596-219-0x0000000000000000-mapping.dmp
memory/1568-221-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/952-226-0x00000000003942AE-mapping.dmp
memory/892-229-0x0000000000000000-mapping.dmp
memory/1204-230-0x0000000000000000-mapping.dmp
memory/1544-232-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/2016-237-0x00000000005942AE-mapping.dmp
memory/1780-240-0x0000000000000000-mapping.dmp
memory/1364-241-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
Analysis: behavioral2
Detonation Overview
Submitted
2021-11-03 04:34
Reported
2021-11-03 04:37
Platform
win10-en-20211014
Max time kernel
110s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\21691710\deakoc.pif | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2176 wrote to memory of 3336 | N/A | C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe | C:\21691710\deakoc.pif |
| PID 2176 wrote to memory of 3336 | N/A | C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe | C:\21691710\deakoc.pif |
| PID 2176 wrote to memory of 3336 | N/A | C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe | C:\21691710\deakoc.pif |
Processes
C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe
"C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 40.119.148.38:123 | time.windows.com | udp |
Files
memory/3336-115-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |