Analysis Overview
SHA256
cfd064120d4082919fa594937dde69cf44c67975db874fa803e9221ced2fff88
Threat Level: Known bad
The file PO-UPDATE-99077-IMG.rar was found to be: Known bad.
Malicious Activity Summary
WSHRAT Payload
NanoCore
WSHRAT
Blocklisted process makes network request
Executes dropped EXE
Drops startup file
Loads dropped DLL
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-11-03 15:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-11-03 15:40
Reported
2021-11-03 15:46
Platform
win7-en-20210920
Max time kernel
301s
Max time network
303s
Command Line
Signatures
NanoCore
WSHRAT
WSHRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Executes dropped EXE
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pLMHJ.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pLMHJ.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\pLMHJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\pLMHJ.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pLMHJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\pLMHJ.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe
"C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\pLMHJ.vbs
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 584
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 580
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 476 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | concideritdone.duckdns.org | udp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
Files
memory/860-54-0x0000000075651000-0x0000000075653000-memory.dmp
\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1508-59-0x0000000000000000-mapping.dmp
C:\21691710\ajck.upw
| MD5 | 388ed3b65c5a99b1c2f76efbefda97f6 |
| SHA1 | 83a4d9e2a0b577e09e30614664db2c198c7f5300 |
| SHA256 | 4a0868d349288c62ccd9b06237ea24b3bde932cff05a6a60f44df1a189c399b0 |
| SHA512 | 81d3077fcf8598ae68b1727decbfdc3d0afd9aca789bcfef387f491582a91289a1118221aca4f4da9ae280adf669b28ee0aa62318521f5d8238894b271a36367 |
C:\21691710\libqgfu.cpl
| MD5 | 3bdfb69e0871a10905b481d4b7d4fe5c |
| SHA1 | 642f4dfebaff6877a55cd39e35e8e72c02c346d6 |
| SHA256 | 2b64a2310605440c8c3ce0b870e2d3eb641adb3a7cd3526a355dfc9390ead717 |
| SHA512 | e5dfab087d7e2f83182353453280a482968cd418a070421fe1733a6ccd0f9ae040ff6be0c101e846eb8147976138e6e584092da93ea9a2747667283520b06f5c |
C:\21691710\dwevhxk.nbk
| MD5 | 5295e3beaa081798b0709d5fc3a45531 |
| SHA1 | 7c3ac34ea24f0852b502362c06238cdcceca7bd2 |
| SHA256 | 9e13e97ec5fb6cd2c1579a107e855434797d5d67e5f6562b9ac4f4afd76ff53c |
| SHA512 | 60a4b3cdea899bde612e57d68b236999d1fe45fe39c0a027d3a44d4117632d0654babe0577576367beca8298f95ebe72750b01d43296bdfa85abcdb2cc219007 |
memory/680-65-0x00000000004D0000-0x0000000000B7C000-memory.dmp
memory/680-66-0x00000000004D0000-0x0000000000B7C000-memory.dmp
memory/680-67-0x00000000005542AE-mapping.dmp
memory/680-68-0x00000000004D0000-0x0000000000B7C000-memory.dmp
memory/436-70-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\pLMHJ.vbs
| MD5 | 952b1cbd78885f81760a77dc3b453fd3 |
| SHA1 | 4af75b46620b063fc23652c3ecaa3b4081074572 |
| SHA256 | fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d |
| SHA512 | 1d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837 |
memory/1804-72-0x0000000000000000-mapping.dmp
C:\21691710\run.vbs
| MD5 | 8aef82a3c67b60d3a500008a4979000c |
| SHA1 | 3f28c9644306d934b010e72fed6fbe04680cfbf8 |
| SHA256 | 6897a2bb61cf3de4997d321656075234b6c3eebef593196d8d5296c55d0e6fda |
| SHA512 | 16e17c19a388774174656523b327bf1e4c4246c77f42e8910b1faf740129d819834c507d3c44bb8adf82cb123a5689dcc70be756f95a9a54415233a02ddca842 |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1064-77-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1360-80-0x00000000003D0000-0x0000000000966000-memory.dmp
memory/1360-82-0x00000000004542AE-mapping.dmp
memory/1360-81-0x00000000003D0000-0x0000000000966000-memory.dmp
memory/1360-83-0x00000000003D0000-0x0000000000966000-memory.dmp
memory/944-85-0x0000000000000000-mapping.dmp
memory/1620-86-0x0000000000000000-mapping.dmp
memory/1056-88-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1656-91-0x0000000000410000-0x00000000008DC000-memory.dmp
memory/1656-92-0x0000000000410000-0x00000000008DC000-memory.dmp
memory/1656-93-0x00000000004942AE-mapping.dmp
memory/1656-94-0x0000000000410000-0x00000000008DC000-memory.dmp
memory/1648-96-0x0000000000000000-mapping.dmp
memory/1780-97-0x0000000000000000-mapping.dmp
memory/1396-99-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1640-102-0x00000000003E0000-0x0000000000ACE000-memory.dmp
memory/1640-103-0x00000000003E0000-0x0000000000ACE000-memory.dmp
memory/1640-104-0x00000000004642AE-mapping.dmp
memory/1640-105-0x00000000003E0000-0x0000000000ACE000-memory.dmp
memory/1584-107-0x0000000000000000-mapping.dmp
memory/1828-108-0x0000000000000000-mapping.dmp
memory/1856-110-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1704-113-0x0000000000410000-0x0000000000B47000-memory.dmp
memory/1704-114-0x0000000000410000-0x0000000000B47000-memory.dmp
memory/1704-115-0x00000000004942AE-mapping.dmp
memory/1704-116-0x0000000000410000-0x0000000000B47000-memory.dmp
memory/1144-118-0x0000000000000000-mapping.dmp
memory/844-119-0x0000000000000000-mapping.dmp
memory/1108-121-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/816-124-0x00000000002D0000-0x00000000008F2000-memory.dmp
memory/816-126-0x00000000003542AE-mapping.dmp
memory/816-125-0x00000000002D0000-0x00000000008F2000-memory.dmp
memory/816-127-0x00000000002D0000-0x00000000008F2000-memory.dmp
memory/1312-129-0x0000000000000000-mapping.dmp
memory/1584-130-0x0000000000000000-mapping.dmp
memory/1500-132-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1696-135-0x00000000003E0000-0x0000000000A65000-memory.dmp
memory/1696-136-0x00000000003E0000-0x0000000000A65000-memory.dmp
memory/1696-137-0x00000000004642AE-mapping.dmp
memory/1696-138-0x00000000003E0000-0x0000000000A65000-memory.dmp
memory/1396-140-0x0000000000000000-mapping.dmp
memory/968-141-0x0000000000000000-mapping.dmp
memory/1684-143-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1716-146-0x0000000000500000-0x0000000000C05000-memory.dmp
memory/1716-147-0x0000000000500000-0x0000000000C05000-memory.dmp
memory/1716-148-0x00000000005842AE-mapping.dmp
memory/1716-149-0x0000000000500000-0x0000000000C05000-memory.dmp
memory/844-151-0x0000000000000000-mapping.dmp
memory/1920-152-0x0000000000000000-mapping.dmp
memory/1140-154-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/944-157-0x00000000001D0000-0x0000000000711000-memory.dmp
memory/944-158-0x00000000001D0000-0x0000000000711000-memory.dmp
memory/944-159-0x00000000002542AE-mapping.dmp
memory/944-160-0x00000000001D0000-0x0000000000711000-memory.dmp
memory/1676-162-0x0000000000000000-mapping.dmp
memory/1612-163-0x0000000000000000-mapping.dmp
memory/680-165-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/820-168-0x0000000000360000-0x0000000000919000-memory.dmp
memory/820-169-0x0000000000360000-0x0000000000919000-memory.dmp
memory/820-170-0x00000000003E42AE-mapping.dmp
memory/820-171-0x0000000000360000-0x0000000000919000-memory.dmp
memory/1620-173-0x0000000000000000-mapping.dmp
memory/1224-174-0x0000000000000000-mapping.dmp
memory/1392-176-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/880-179-0x00000000003D0000-0x000000000099E000-memory.dmp
memory/880-181-0x00000000004542AE-mapping.dmp
memory/476-184-0x0000000000000000-mapping.dmp
memory/912-185-0x0000000000000000-mapping.dmp
memory/460-187-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1744-192-0x00000000004642AE-mapping.dmp
memory/1504-195-0x0000000000000000-mapping.dmp
memory/572-196-0x0000000000000000-mapping.dmp
memory/968-198-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/844-203-0x00000000003C42AE-mapping.dmp
memory/1528-206-0x0000000000000000-mapping.dmp
memory/392-207-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1584-209-0x0000000000000000-mapping.dmp
memory/1800-214-0x00000000003542AE-mapping.dmp
memory/940-217-0x0000000000000000-mapping.dmp
memory/1712-218-0x0000000000000000-mapping.dmp
memory/1620-220-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1500-225-0x00000000002542AE-mapping.dmp
memory/1396-228-0x0000000000000000-mapping.dmp
memory/1732-229-0x0000000000000000-mapping.dmp
memory/1780-231-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/476-236-0x00000000003542AE-mapping.dmp
memory/968-239-0x0000000000000000-mapping.dmp
memory/1636-240-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
Analysis: behavioral2
Detonation Overview
Submitted
2021-11-03 15:40
Reported
2021-11-03 15:46
Platform
win10-en-20211014
Max time kernel
166s
Max time network
297s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\21691710\deakoc.pif | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4340 wrote to memory of 3220 | N/A | C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe | C:\21691710\deakoc.pif |
| PID 4340 wrote to memory of 3220 | N/A | C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe | C:\21691710\deakoc.pif |
| PID 4340 wrote to memory of 3220 | N/A | C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe | C:\21691710\deakoc.pif |
Processes
C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe
"C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
Files
memory/3220-115-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |