Analysis Overview
SHA256
a5024b85683de19bd2d065ceb57c611a3dac9746ed9bc5e6939cc5eb5b8011bb
Threat Level: Known bad
The file PO-UPDATE-99077-IMG.exe was found to be: Known bad.
Malicious Activity Summary
NanoCore
WSHRAT
WSHRAT Payload
Executes dropped EXE
Blocklisted process makes network request
Drops startup file
Loads dropped DLL
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-11-05 11:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-11-05 11:37
Reported
2021-11-05 11:43
Platform
win7-en-20211104
Max time kernel
330s
Max time network
300s
Command Line
Signatures
NanoCore
WSHRAT
WSHRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Executes dropped EXE
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pLMHJ.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pLMHJ.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pLMHJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\pLMHJ.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" | C:\21691710\deakoc.pif | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe
"C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\pLMHJ.vbs
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 604 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 288 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | concideritdone.duckdns.org | udp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
| US | 156.96.151.237:5001 | concideritdone.duckdns.org | tcp |
Files
memory/320-55-0x0000000076761000-0x0000000076763000-memory.dmp
\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1368-60-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\ajck.upw
| MD5 | 388ed3b65c5a99b1c2f76efbefda97f6 |
| SHA1 | 83a4d9e2a0b577e09e30614664db2c198c7f5300 |
| SHA256 | 4a0868d349288c62ccd9b06237ea24b3bde932cff05a6a60f44df1a189c399b0 |
| SHA512 | 81d3077fcf8598ae68b1727decbfdc3d0afd9aca789bcfef387f491582a91289a1118221aca4f4da9ae280adf669b28ee0aa62318521f5d8238894b271a36367 |
C:\21691710\libqgfu.cpl
| MD5 | 3bdfb69e0871a10905b481d4b7d4fe5c |
| SHA1 | 642f4dfebaff6877a55cd39e35e8e72c02c346d6 |
| SHA256 | 2b64a2310605440c8c3ce0b870e2d3eb641adb3a7cd3526a355dfc9390ead717 |
| SHA512 | e5dfab087d7e2f83182353453280a482968cd418a070421fe1733a6ccd0f9ae040ff6be0c101e846eb8147976138e6e584092da93ea9a2747667283520b06f5c |
C:\21691710\dwevhxk.nbk
| MD5 | 5295e3beaa081798b0709d5fc3a45531 |
| SHA1 | 7c3ac34ea24f0852b502362c06238cdcceca7bd2 |
| SHA256 | 9e13e97ec5fb6cd2c1579a107e855434797d5d67e5f6562b9ac4f4afd76ff53c |
| SHA512 | 60a4b3cdea899bde612e57d68b236999d1fe45fe39c0a027d3a44d4117632d0654babe0577576367beca8298f95ebe72750b01d43296bdfa85abcdb2cc219007 |
memory/1096-66-0x0000000000230000-0x00000000008BB000-memory.dmp
memory/1096-67-0x0000000000230000-0x00000000008BB000-memory.dmp
memory/1096-68-0x00000000002B42AE-mapping.dmp
memory/1096-69-0x0000000000230000-0x00000000008BB000-memory.dmp
memory/968-71-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\pLMHJ.vbs
| MD5 | 952b1cbd78885f81760a77dc3b453fd3 |
| SHA1 | 4af75b46620b063fc23652c3ecaa3b4081074572 |
| SHA256 | fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d |
| SHA512 | 1d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837 |
memory/532-74-0x0000000000000000-mapping.dmp
C:\21691710\run.vbs
| MD5 | 8aef82a3c67b60d3a500008a4979000c |
| SHA1 | 3f28c9644306d934b010e72fed6fbe04680cfbf8 |
| SHA256 | 6897a2bb61cf3de4997d321656075234b6c3eebef593196d8d5296c55d0e6fda |
| SHA512 | 16e17c19a388774174656523b327bf1e4c4246c77f42e8910b1faf740129d819834c507d3c44bb8adf82cb123a5689dcc70be756f95a9a54415233a02ddca842 |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1772-78-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1380-81-0x0000000000310000-0x0000000000993000-memory.dmp
memory/1380-82-0x0000000000310000-0x0000000000993000-memory.dmp
memory/1380-83-0x00000000003942AE-mapping.dmp
memory/1380-84-0x0000000000310000-0x0000000000993000-memory.dmp
memory/1476-86-0x0000000000000000-mapping.dmp
memory/1372-87-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1540-89-0x0000000000000000-mapping.dmp
memory/1976-92-0x0000000000250000-0x0000000000962000-memory.dmp
memory/1976-94-0x00000000002D42AE-mapping.dmp
memory/1976-93-0x0000000000250000-0x0000000000962000-memory.dmp
memory/1976-95-0x0000000000250000-0x0000000000962000-memory.dmp
memory/984-97-0x0000000000000000-mapping.dmp
memory/1844-98-0x0000000000000000-mapping.dmp
memory/1240-100-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1472-103-0x0000000000290000-0x0000000000888000-memory.dmp
memory/1472-104-0x0000000000290000-0x0000000000888000-memory.dmp
memory/1472-105-0x00000000003142AE-mapping.dmp
memory/1472-106-0x0000000000290000-0x0000000000888000-memory.dmp
memory/1156-108-0x0000000000000000-mapping.dmp
memory/1232-109-0x0000000000000000-mapping.dmp
memory/948-111-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/2008-114-0x0000000000330000-0x0000000000A50000-memory.dmp
memory/2008-115-0x0000000000330000-0x0000000000A50000-memory.dmp
memory/2008-116-0x00000000003B42AE-mapping.dmp
memory/2008-117-0x0000000000330000-0x0000000000A50000-memory.dmp
memory/1500-119-0x0000000000000000-mapping.dmp
memory/1728-120-0x0000000000000000-mapping.dmp
memory/1164-122-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/804-125-0x0000000000270000-0x0000000000753000-memory.dmp
memory/804-126-0x0000000000270000-0x0000000000753000-memory.dmp
memory/804-127-0x00000000002F42AE-mapping.dmp
memory/804-128-0x0000000000270000-0x0000000000753000-memory.dmp
memory/1312-130-0x0000000000000000-mapping.dmp
memory/1380-131-0x0000000000000000-mapping.dmp
memory/1616-133-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1928-136-0x0000000000310000-0x00000000008ED000-memory.dmp
memory/1928-137-0x0000000000310000-0x00000000008ED000-memory.dmp
memory/1928-138-0x00000000003942AE-mapping.dmp
memory/1928-139-0x0000000000310000-0x00000000008ED000-memory.dmp
memory/984-141-0x0000000000000000-mapping.dmp
memory/556-142-0x0000000000000000-mapping.dmp
memory/868-144-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1356-147-0x00000000003E0000-0x0000000000924000-memory.dmp
memory/1356-148-0x00000000003E0000-0x0000000000924000-memory.dmp
memory/1356-149-0x00000000004642AE-mapping.dmp
memory/1356-150-0x00000000003E0000-0x0000000000924000-memory.dmp
memory/1204-152-0x0000000000000000-mapping.dmp
memory/836-153-0x0000000000000000-mapping.dmp
memory/1832-155-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1536-158-0x0000000000340000-0x0000000000A06000-memory.dmp
memory/1536-159-0x0000000000340000-0x0000000000A06000-memory.dmp
memory/1536-160-0x00000000003C42AE-mapping.dmp
memory/1536-161-0x0000000000340000-0x0000000000A06000-memory.dmp
memory/984-163-0x0000000000000000-mapping.dmp
memory/1720-164-0x0000000000000000-mapping.dmp
memory/1052-166-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/972-169-0x0000000000380000-0x000000000099C000-memory.dmp
memory/972-170-0x0000000000380000-0x000000000099C000-memory.dmp
memory/972-171-0x00000000004042AE-mapping.dmp
memory/972-172-0x0000000000380000-0x000000000099C000-memory.dmp
memory/1112-174-0x0000000000000000-mapping.dmp
memory/1736-175-0x0000000000000000-mapping.dmp
memory/1080-177-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1312-180-0x00000000004C0000-0x0000000000BC1000-memory.dmp
memory/1312-182-0x00000000005442AE-mapping.dmp
memory/1724-185-0x0000000000000000-mapping.dmp
memory/288-186-0x0000000000000000-mapping.dmp
memory/1064-188-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1796-193-0x00000000002D42AE-mapping.dmp
memory/1552-196-0x0000000000000000-mapping.dmp
memory/1376-197-0x0000000000000000-mapping.dmp
memory/1960-199-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1156-204-0x00000000004842AE-mapping.dmp
memory/1740-207-0x0000000000000000-mapping.dmp
memory/1052-208-0x0000000000000000-mapping.dmp
memory/1744-210-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/804-215-0x00000000002F42AE-mapping.dmp
memory/1712-218-0x0000000000000000-mapping.dmp
memory/604-219-0x0000000000000000-mapping.dmp
memory/1592-221-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1972-226-0x00000000002D42AE-mapping.dmp
memory/1880-229-0x0000000000000000-mapping.dmp
memory/1356-230-0x0000000000000000-mapping.dmp
memory/924-232-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/2036-237-0x00000000004242AE-mapping.dmp
memory/568-240-0x0000000000000000-mapping.dmp
memory/1472-241-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
Analysis: behavioral2
Detonation Overview
Submitted
2021-11-05 11:37
Reported
2021-11-05 11:43
Platform
win10-en-20211014
Max time kernel
114s
Max time network
314s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\21691710\deakoc.pif | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2668 wrote to memory of 4028 | N/A | C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe | C:\21691710\deakoc.pif |
| PID 2668 wrote to memory of 4028 | N/A | C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe | C:\21691710\deakoc.pif |
| PID 2668 wrote to memory of 4028 | N/A | C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe | C:\21691710\deakoc.pif |
Processes
C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe
"C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe"
C:\21691710\deakoc.pif
"C:\21691710\deakoc.pif" ajck.upw
Network
| Country | Destination | Domain | Proto |
| US | 52.109.8.19:443 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 40.119.148.38:123 | time.windows.com | udp |
Files
memory/4028-115-0x0000000000000000-mapping.dmp
C:\21691710\deakoc.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |