Malware Analysis Report

2025-04-14 08:26

Sample ID 211103-gchsrsaddn
Target PO-UPDATE-99077-IMG.rar
SHA256 cfd064120d4082919fa594937dde69cf44c67975db874fa803e9221ced2fff88
Tags
nanocore wshrat keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cfd064120d4082919fa594937dde69cf44c67975db874fa803e9221ced2fff88

Threat Level: Known bad

The file PO-UPDATE-99077-IMG.rar was found to be: Known bad.

Malicious Activity Summary

nanocore wshrat keylogger persistence spyware stealer trojan

NanoCore

WSHRAT Payload

WSHRAT

Executes dropped EXE

Blocklisted process makes network request

Drops startup file

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-11-03 05:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-11-03 05:39

Reported

2021-11-03 05:42

Platform

win7-en-20211014

Max time kernel

152s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

WSHRAT

trojan wshrat

WSHRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pLMHJ.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pLMHJ.vbs C:\Windows\SysWOW64\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\pLMHJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\pLMHJ.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pLMHJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\pLMHJ.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 324 set thread context of 340 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1312 set thread context of 1108 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1204 set thread context of 936 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1172 set thread context of 1592 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 812 set thread context of 728 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1756 set thread context of 1368 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1132 set thread context of 1980 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2040 set thread context of 1312 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1940 set thread context of 948 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 340 set thread context of 932 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1340 set thread context of 1756 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1300 set thread context of 1824 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1560 set thread context of 2040 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 804 set thread context of 1764 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1244 set thread context of 1820 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1044 set thread context of 1060 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1360 set thread context of 1076 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1560 set thread context of 1640 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 968 set thread context of 1628 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 380 set thread context of 2044 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1244 set thread context of 1484 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1184 set thread context of 1340 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2024 set thread context of 1828 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1824 set thread context of 1924 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1896 set thread context of 1968 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1392 set thread context of 1620 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1708 set thread context of 1496 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 812 set thread context of 1548 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1964 set thread context of 1508 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 268 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 268 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 268 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 268 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 324 wrote to memory of 340 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 324 wrote to memory of 340 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 324 wrote to memory of 340 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 324 wrote to memory of 340 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 324 wrote to memory of 340 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 324 wrote to memory of 340 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 324 wrote to memory of 340 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 324 wrote to memory of 340 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 324 wrote to memory of 340 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 340 wrote to memory of 956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 340 wrote to memory of 956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 340 wrote to memory of 956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 340 wrote to memory of 956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 324 wrote to memory of 1172 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 324 wrote to memory of 1172 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 324 wrote to memory of 1172 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 324 wrote to memory of 1172 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1172 wrote to memory of 1312 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1172 wrote to memory of 1312 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1172 wrote to memory of 1312 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1172 wrote to memory of 1312 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1312 wrote to memory of 1108 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1312 wrote to memory of 1108 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1312 wrote to memory of 1108 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1312 wrote to memory of 1108 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1312 wrote to memory of 1108 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1312 wrote to memory of 1108 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1312 wrote to memory of 1108 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1312 wrote to memory of 1108 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1312 wrote to memory of 1108 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1108 wrote to memory of 1596 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1108 wrote to memory of 1596 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1108 wrote to memory of 1596 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1108 wrote to memory of 1596 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1312 wrote to memory of 1624 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1312 wrote to memory of 1624 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1312 wrote to memory of 1624 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1312 wrote to memory of 1624 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1624 wrote to memory of 1204 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1624 wrote to memory of 1204 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1624 wrote to memory of 1204 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1624 wrote to memory of 1204 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1204 wrote to memory of 936 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1204 wrote to memory of 936 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1204 wrote to memory of 936 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1204 wrote to memory of 936 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1204 wrote to memory of 936 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1204 wrote to memory of 936 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1204 wrote to memory of 936 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1204 wrote to memory of 936 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1204 wrote to memory of 936 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 936 wrote to memory of 340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 936 wrote to memory of 340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 936 wrote to memory of 340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 936 wrote to memory of 340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1204 wrote to memory of 308 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1204 wrote to memory of 308 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1204 wrote to memory of 308 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1204 wrote to memory of 308 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 308 wrote to memory of 1172 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif

Processes

C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe

"C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\pLMHJ.vbs

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 572

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 concideritdone.duckdns.org udp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp

Files

memory/268-55-0x0000000076531000-0x0000000076533000-memory.dmp

\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/324-60-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\ajck.upw

MD5 388ed3b65c5a99b1c2f76efbefda97f6
SHA1 83a4d9e2a0b577e09e30614664db2c198c7f5300
SHA256 4a0868d349288c62ccd9b06237ea24b3bde932cff05a6a60f44df1a189c399b0
SHA512 81d3077fcf8598ae68b1727decbfdc3d0afd9aca789bcfef387f491582a91289a1118221aca4f4da9ae280adf669b28ee0aa62318521f5d8238894b271a36367

C:\21691710\libqgfu.cpl

MD5 3bdfb69e0871a10905b481d4b7d4fe5c
SHA1 642f4dfebaff6877a55cd39e35e8e72c02c346d6
SHA256 2b64a2310605440c8c3ce0b870e2d3eb641adb3a7cd3526a355dfc9390ead717
SHA512 e5dfab087d7e2f83182353453280a482968cd418a070421fe1733a6ccd0f9ae040ff6be0c101e846eb8147976138e6e584092da93ea9a2747667283520b06f5c

C:\21691710\dwevhxk.nbk

MD5 5295e3beaa081798b0709d5fc3a45531
SHA1 7c3ac34ea24f0852b502362c06238cdcceca7bd2
SHA256 9e13e97ec5fb6cd2c1579a107e855434797d5d67e5f6562b9ac4f4afd76ff53c
SHA512 60a4b3cdea899bde612e57d68b236999d1fe45fe39c0a027d3a44d4117632d0654babe0577576367beca8298f95ebe72750b01d43296bdfa85abcdb2cc219007

memory/340-66-0x0000000000430000-0x0000000000ABE000-memory.dmp

memory/340-67-0x0000000000430000-0x0000000000ABE000-memory.dmp

memory/340-68-0x00000000004B42AE-mapping.dmp

memory/340-69-0x0000000000430000-0x0000000000ABE000-memory.dmp

memory/956-71-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\pLMHJ.vbs

MD5 952b1cbd78885f81760a77dc3b453fd3
SHA1 4af75b46620b063fc23652c3ecaa3b4081074572
SHA256 fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d
SHA512 1d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837

memory/1172-74-0x0000000000000000-mapping.dmp

C:\21691710\run.vbs

MD5 8aef82a3c67b60d3a500008a4979000c
SHA1 3f28c9644306d934b010e72fed6fbe04680cfbf8
SHA256 6897a2bb61cf3de4997d321656075234b6c3eebef593196d8d5296c55d0e6fda
SHA512 16e17c19a388774174656523b327bf1e4c4246c77f42e8910b1faf740129d819834c507d3c44bb8adf82cb123a5689dcc70be756f95a9a54415233a02ddca842

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1312-78-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1108-81-0x00000000003F0000-0x0000000000B09000-memory.dmp

memory/1108-82-0x00000000003F0000-0x0000000000B09000-memory.dmp

memory/1108-83-0x00000000004742AE-mapping.dmp

memory/1108-84-0x00000000003F0000-0x0000000000B09000-memory.dmp

memory/1596-86-0x0000000000000000-mapping.dmp

memory/1624-87-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1204-89-0x0000000000000000-mapping.dmp

memory/936-92-0x0000000000240000-0x00000000007A2000-memory.dmp

memory/936-94-0x00000000002C42AE-mapping.dmp

memory/936-93-0x0000000000240000-0x00000000007A2000-memory.dmp

memory/936-95-0x0000000000240000-0x00000000007A2000-memory.dmp

memory/340-97-0x0000000000000000-mapping.dmp

memory/308-98-0x0000000000000000-mapping.dmp

memory/1172-100-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1592-103-0x00000000003A0000-0x00000000009FF000-memory.dmp

memory/1592-104-0x00000000003A0000-0x00000000009FF000-memory.dmp

memory/1592-105-0x00000000004242AE-mapping.dmp

memory/1592-106-0x00000000003A0000-0x00000000009FF000-memory.dmp

memory/904-108-0x0000000000000000-mapping.dmp

memory/592-109-0x0000000000000000-mapping.dmp

memory/812-111-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/728-114-0x0000000000390000-0x0000000000AB5000-memory.dmp

memory/728-115-0x0000000000390000-0x0000000000AB5000-memory.dmp

memory/728-116-0x00000000004142AE-mapping.dmp

memory/728-117-0x0000000000390000-0x0000000000AB5000-memory.dmp

memory/1764-119-0x0000000000000000-mapping.dmp

memory/1892-120-0x0000000000000000-mapping.dmp

memory/1756-122-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1368-125-0x0000000000420000-0x0000000000907000-memory.dmp

memory/1368-126-0x0000000000420000-0x0000000000907000-memory.dmp

memory/1368-127-0x00000000004A42AE-mapping.dmp

memory/1368-128-0x0000000000420000-0x0000000000907000-memory.dmp

memory/1596-130-0x0000000000000000-mapping.dmp

memory/1984-131-0x0000000000000000-mapping.dmp

memory/1132-133-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1980-136-0x0000000000540000-0x0000000000A69000-memory.dmp

memory/1980-137-0x0000000000540000-0x0000000000A69000-memory.dmp

memory/1980-138-0x00000000005C42AE-mapping.dmp

memory/1980-139-0x0000000000540000-0x0000000000A69000-memory.dmp

memory/864-141-0x0000000000000000-mapping.dmp

memory/728-142-0x0000000000000000-mapping.dmp

memory/2040-144-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1312-147-0x00000000003C0000-0x00000000008AA000-memory.dmp

memory/1312-148-0x00000000003C0000-0x00000000008AA000-memory.dmp

memory/1312-149-0x00000000004442AE-mapping.dmp

memory/1312-150-0x00000000003C0000-0x00000000008AA000-memory.dmp

memory/1108-152-0x0000000000000000-mapping.dmp

memory/1772-153-0x0000000000000000-mapping.dmp

memory/1940-155-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/948-158-0x00000000002C0000-0x0000000000787000-memory.dmp

memory/948-159-0x00000000002C0000-0x0000000000787000-memory.dmp

memory/948-160-0x00000000003442AE-mapping.dmp

memory/948-161-0x00000000002C0000-0x0000000000787000-memory.dmp

memory/612-163-0x0000000000000000-mapping.dmp

memory/1300-164-0x0000000000000000-mapping.dmp

memory/340-166-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/932-169-0x00000000003C0000-0x0000000000A8B000-memory.dmp

memory/932-170-0x00000000003C0000-0x0000000000A8B000-memory.dmp

memory/932-171-0x00000000004442AE-mapping.dmp

memory/932-172-0x00000000003C0000-0x0000000000A8B000-memory.dmp

memory/988-174-0x0000000000000000-mapping.dmp

memory/1816-175-0x0000000000000000-mapping.dmp

memory/1340-177-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1756-180-0x0000000000350000-0x0000000000A5F000-memory.dmp

memory/1756-182-0x00000000003D42AE-mapping.dmp

memory/1660-185-0x0000000000000000-mapping.dmp

memory/1892-186-0x0000000000000000-mapping.dmp

memory/1300-188-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1824-193-0x00000000004942AE-mapping.dmp

memory/1980-196-0x0000000000000000-mapping.dmp

memory/1064-197-0x0000000000000000-mapping.dmp

memory/1560-199-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/2040-204-0x00000000003242AE-mapping.dmp

memory/960-207-0x0000000000000000-mapping.dmp

memory/752-208-0x0000000000000000-mapping.dmp

memory/804-210-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1764-215-0x00000000004742AE-mapping.dmp

memory/904-218-0x0000000000000000-mapping.dmp

memory/936-219-0x0000000000000000-mapping.dmp

memory/1244-221-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1820-226-0x00000000002A42AE-mapping.dmp

memory/928-229-0x0000000000000000-mapping.dmp

memory/1412-230-0x0000000000000000-mapping.dmp

memory/1044-232-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1060-237-0x00000000002E42AE-mapping.dmp

memory/1824-240-0x0000000000000000-mapping.dmp

memory/904-241-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

Analysis: behavioral2

Detonation Overview

Submitted

2021-11-03 05:39

Reported

2021-11-03 05:42

Platform

win10-en-20211014

Max time kernel

109s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\21691710\deakoc.pif N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 2112 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 2112 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif

Processes

C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe

"C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

Network

Country Destination Domain Proto
IE 52.109.76.32:443 tcp
US 8.8.8.8:53 time.windows.com udp
NL 40.119.148.38:123 time.windows.com udp

Files

memory/648-115-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba