Malware Analysis Report

2025-04-14 08:30

Sample ID 211103-s4pwyaebd7
Target PO-UPDATE-99077-IMG.rar
SHA256 cfd064120d4082919fa594937dde69cf44c67975db874fa803e9221ced2fff88
Tags
nanocore wshrat keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cfd064120d4082919fa594937dde69cf44c67975db874fa803e9221ced2fff88

Threat Level: Known bad

The file PO-UPDATE-99077-IMG.rar was found to be: Known bad.

Malicious Activity Summary

nanocore wshrat keylogger persistence spyware stealer trojan

WSHRAT Payload

NanoCore

WSHRAT

Blocklisted process makes network request

Executes dropped EXE

Drops startup file

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-11-03 15:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-11-03 15:40

Reported

2021-11-03 15:46

Platform

win7-en-20210920

Max time kernel

301s

Max time network

303s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

WSHRAT

trojan wshrat

WSHRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pLMHJ.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pLMHJ.vbs C:\Windows\SysWOW64\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\pLMHJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\pLMHJ.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pLMHJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\pLMHJ.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1508 set thread context of 680 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1064 set thread context of 1360 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1056 set thread context of 1656 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1396 set thread context of 1640 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1856 set thread context of 1704 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1108 set thread context of 816 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1500 set thread context of 1696 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1684 set thread context of 1716 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1140 set thread context of 944 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 680 set thread context of 820 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1392 set thread context of 880 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 460 set thread context of 1744 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 968 set thread context of 844 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1584 set thread context of 1800 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1620 set thread context of 1500 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1780 set thread context of 476 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1308 set thread context of 1056 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1860 set thread context of 1224 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 764 set thread context of 2040 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1808 set thread context of 1108 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1688 set thread context of 1564 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1920 set thread context of 1552 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1284 set thread context of 576 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1556 set thread context of 1808 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1064 set thread context of 1900 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 708 set thread context of 1812 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1916 set thread context of 1560 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1780 set thread context of 1016 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1612 set thread context of 1168 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1416 set thread context of 844 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1360 set thread context of 1900 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1392 set thread context of 1780 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1628 set thread context of 1064 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1012 set thread context of 884 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 940 set thread context of 1688 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 880 set thread context of 1284 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 972 set thread context of 976 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 952 set thread context of 1456 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1828 set thread context of 1044 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 844 set thread context of 1540 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1012 set thread context of 788 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1516 set thread context of 1968 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1708 set thread context of 1716 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 576 set thread context of 932 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1520 set thread context of 1308 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1000 set thread context of 940 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1564 set thread context of 1060 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1556 set thread context of 1408 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1700 set thread context of 1680 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 964 set thread context of 1352 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 932 set thread context of 764 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1456 set thread context of 1856 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1800 set thread context of 1828 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1704 set thread context of 1540 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 576 set thread context of 1360 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1492 set thread context of 1168 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 680 set thread context of 1060 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1608 set thread context of 1760 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1360 set thread context of 1584 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1964 set thread context of 788 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2000 set thread context of 1640 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1760 set thread context of 1764 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 860 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 860 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 860 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 860 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 1508 wrote to memory of 680 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1508 wrote to memory of 680 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1508 wrote to memory of 680 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1508 wrote to memory of 680 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1508 wrote to memory of 680 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1508 wrote to memory of 680 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1508 wrote to memory of 680 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1508 wrote to memory of 680 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1508 wrote to memory of 680 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 680 wrote to memory of 436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 680 wrote to memory of 436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 680 wrote to memory of 436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 680 wrote to memory of 436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1508 wrote to memory of 1804 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1508 wrote to memory of 1804 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1508 wrote to memory of 1804 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1508 wrote to memory of 1804 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1804 wrote to memory of 1064 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1804 wrote to memory of 1064 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1804 wrote to memory of 1064 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1804 wrote to memory of 1064 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1064 wrote to memory of 1360 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1064 wrote to memory of 1360 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1064 wrote to memory of 1360 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1064 wrote to memory of 1360 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1064 wrote to memory of 1360 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1064 wrote to memory of 1360 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1064 wrote to memory of 1360 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1064 wrote to memory of 1360 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1064 wrote to memory of 1360 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1360 wrote to memory of 944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1360 wrote to memory of 944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1360 wrote to memory of 944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1360 wrote to memory of 944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1064 wrote to memory of 1620 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1064 wrote to memory of 1620 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1064 wrote to memory of 1620 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1064 wrote to memory of 1620 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1620 wrote to memory of 1056 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1620 wrote to memory of 1056 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1620 wrote to memory of 1056 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1620 wrote to memory of 1056 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1056 wrote to memory of 1656 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1056 wrote to memory of 1656 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1056 wrote to memory of 1656 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1056 wrote to memory of 1656 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1056 wrote to memory of 1656 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1056 wrote to memory of 1656 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1056 wrote to memory of 1656 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1056 wrote to memory of 1656 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1056 wrote to memory of 1656 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1656 wrote to memory of 1648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1656 wrote to memory of 1648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1656 wrote to memory of 1648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1656 wrote to memory of 1648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1056 wrote to memory of 1780 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1056 wrote to memory of 1780 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1056 wrote to memory of 1780 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1056 wrote to memory of 1780 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1780 wrote to memory of 1396 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif

Processes

C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe

"C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\pLMHJ.vbs

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 584

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 580

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 476 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 concideritdone.duckdns.org udp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp

Files

memory/860-54-0x0000000075651000-0x0000000075653000-memory.dmp

\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1508-59-0x0000000000000000-mapping.dmp

C:\21691710\ajck.upw

MD5 388ed3b65c5a99b1c2f76efbefda97f6
SHA1 83a4d9e2a0b577e09e30614664db2c198c7f5300
SHA256 4a0868d349288c62ccd9b06237ea24b3bde932cff05a6a60f44df1a189c399b0
SHA512 81d3077fcf8598ae68b1727decbfdc3d0afd9aca789bcfef387f491582a91289a1118221aca4f4da9ae280adf669b28ee0aa62318521f5d8238894b271a36367

C:\21691710\libqgfu.cpl

MD5 3bdfb69e0871a10905b481d4b7d4fe5c
SHA1 642f4dfebaff6877a55cd39e35e8e72c02c346d6
SHA256 2b64a2310605440c8c3ce0b870e2d3eb641adb3a7cd3526a355dfc9390ead717
SHA512 e5dfab087d7e2f83182353453280a482968cd418a070421fe1733a6ccd0f9ae040ff6be0c101e846eb8147976138e6e584092da93ea9a2747667283520b06f5c

C:\21691710\dwevhxk.nbk

MD5 5295e3beaa081798b0709d5fc3a45531
SHA1 7c3ac34ea24f0852b502362c06238cdcceca7bd2
SHA256 9e13e97ec5fb6cd2c1579a107e855434797d5d67e5f6562b9ac4f4afd76ff53c
SHA512 60a4b3cdea899bde612e57d68b236999d1fe45fe39c0a027d3a44d4117632d0654babe0577576367beca8298f95ebe72750b01d43296bdfa85abcdb2cc219007

memory/680-65-0x00000000004D0000-0x0000000000B7C000-memory.dmp

memory/680-66-0x00000000004D0000-0x0000000000B7C000-memory.dmp

memory/680-67-0x00000000005542AE-mapping.dmp

memory/680-68-0x00000000004D0000-0x0000000000B7C000-memory.dmp

memory/436-70-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\pLMHJ.vbs

MD5 952b1cbd78885f81760a77dc3b453fd3
SHA1 4af75b46620b063fc23652c3ecaa3b4081074572
SHA256 fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d
SHA512 1d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837

memory/1804-72-0x0000000000000000-mapping.dmp

C:\21691710\run.vbs

MD5 8aef82a3c67b60d3a500008a4979000c
SHA1 3f28c9644306d934b010e72fed6fbe04680cfbf8
SHA256 6897a2bb61cf3de4997d321656075234b6c3eebef593196d8d5296c55d0e6fda
SHA512 16e17c19a388774174656523b327bf1e4c4246c77f42e8910b1faf740129d819834c507d3c44bb8adf82cb123a5689dcc70be756f95a9a54415233a02ddca842

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1064-77-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1360-80-0x00000000003D0000-0x0000000000966000-memory.dmp

memory/1360-82-0x00000000004542AE-mapping.dmp

memory/1360-81-0x00000000003D0000-0x0000000000966000-memory.dmp

memory/1360-83-0x00000000003D0000-0x0000000000966000-memory.dmp

memory/944-85-0x0000000000000000-mapping.dmp

memory/1620-86-0x0000000000000000-mapping.dmp

memory/1056-88-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1656-91-0x0000000000410000-0x00000000008DC000-memory.dmp

memory/1656-92-0x0000000000410000-0x00000000008DC000-memory.dmp

memory/1656-93-0x00000000004942AE-mapping.dmp

memory/1656-94-0x0000000000410000-0x00000000008DC000-memory.dmp

memory/1648-96-0x0000000000000000-mapping.dmp

memory/1780-97-0x0000000000000000-mapping.dmp

memory/1396-99-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1640-102-0x00000000003E0000-0x0000000000ACE000-memory.dmp

memory/1640-103-0x00000000003E0000-0x0000000000ACE000-memory.dmp

memory/1640-104-0x00000000004642AE-mapping.dmp

memory/1640-105-0x00000000003E0000-0x0000000000ACE000-memory.dmp

memory/1584-107-0x0000000000000000-mapping.dmp

memory/1828-108-0x0000000000000000-mapping.dmp

memory/1856-110-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1704-113-0x0000000000410000-0x0000000000B47000-memory.dmp

memory/1704-114-0x0000000000410000-0x0000000000B47000-memory.dmp

memory/1704-115-0x00000000004942AE-mapping.dmp

memory/1704-116-0x0000000000410000-0x0000000000B47000-memory.dmp

memory/1144-118-0x0000000000000000-mapping.dmp

memory/844-119-0x0000000000000000-mapping.dmp

memory/1108-121-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/816-124-0x00000000002D0000-0x00000000008F2000-memory.dmp

memory/816-126-0x00000000003542AE-mapping.dmp

memory/816-125-0x00000000002D0000-0x00000000008F2000-memory.dmp

memory/816-127-0x00000000002D0000-0x00000000008F2000-memory.dmp

memory/1312-129-0x0000000000000000-mapping.dmp

memory/1584-130-0x0000000000000000-mapping.dmp

memory/1500-132-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1696-135-0x00000000003E0000-0x0000000000A65000-memory.dmp

memory/1696-136-0x00000000003E0000-0x0000000000A65000-memory.dmp

memory/1696-137-0x00000000004642AE-mapping.dmp

memory/1696-138-0x00000000003E0000-0x0000000000A65000-memory.dmp

memory/1396-140-0x0000000000000000-mapping.dmp

memory/968-141-0x0000000000000000-mapping.dmp

memory/1684-143-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1716-146-0x0000000000500000-0x0000000000C05000-memory.dmp

memory/1716-147-0x0000000000500000-0x0000000000C05000-memory.dmp

memory/1716-148-0x00000000005842AE-mapping.dmp

memory/1716-149-0x0000000000500000-0x0000000000C05000-memory.dmp

memory/844-151-0x0000000000000000-mapping.dmp

memory/1920-152-0x0000000000000000-mapping.dmp

memory/1140-154-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/944-157-0x00000000001D0000-0x0000000000711000-memory.dmp

memory/944-158-0x00000000001D0000-0x0000000000711000-memory.dmp

memory/944-159-0x00000000002542AE-mapping.dmp

memory/944-160-0x00000000001D0000-0x0000000000711000-memory.dmp

memory/1676-162-0x0000000000000000-mapping.dmp

memory/1612-163-0x0000000000000000-mapping.dmp

memory/680-165-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/820-168-0x0000000000360000-0x0000000000919000-memory.dmp

memory/820-169-0x0000000000360000-0x0000000000919000-memory.dmp

memory/820-170-0x00000000003E42AE-mapping.dmp

memory/820-171-0x0000000000360000-0x0000000000919000-memory.dmp

memory/1620-173-0x0000000000000000-mapping.dmp

memory/1224-174-0x0000000000000000-mapping.dmp

memory/1392-176-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/880-179-0x00000000003D0000-0x000000000099E000-memory.dmp

memory/880-181-0x00000000004542AE-mapping.dmp

memory/476-184-0x0000000000000000-mapping.dmp

memory/912-185-0x0000000000000000-mapping.dmp

memory/460-187-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1744-192-0x00000000004642AE-mapping.dmp

memory/1504-195-0x0000000000000000-mapping.dmp

memory/572-196-0x0000000000000000-mapping.dmp

memory/968-198-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/844-203-0x00000000003C42AE-mapping.dmp

memory/1528-206-0x0000000000000000-mapping.dmp

memory/392-207-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1584-209-0x0000000000000000-mapping.dmp

memory/1800-214-0x00000000003542AE-mapping.dmp

memory/940-217-0x0000000000000000-mapping.dmp

memory/1712-218-0x0000000000000000-mapping.dmp

memory/1620-220-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1500-225-0x00000000002542AE-mapping.dmp

memory/1396-228-0x0000000000000000-mapping.dmp

memory/1732-229-0x0000000000000000-mapping.dmp

memory/1780-231-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/476-236-0x00000000003542AE-mapping.dmp

memory/968-239-0x0000000000000000-mapping.dmp

memory/1636-240-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

Analysis: behavioral2

Detonation Overview

Submitted

2021-11-03 15:40

Reported

2021-11-03 15:46

Platform

win10-en-20211014

Max time kernel

166s

Max time network

297s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\21691710\deakoc.pif N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4340 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 4340 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 4340 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif

Processes

C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe

"C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

Network

Country Destination Domain Proto
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp

Files

memory/3220-115-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba