Malware Analysis Report

2025-04-14 08:22

Sample ID 211105-nrccvsbeg8
Target PO-UPDATE-99077-IMG.exe
SHA256 a5024b85683de19bd2d065ceb57c611a3dac9746ed9bc5e6939cc5eb5b8011bb
Tags
nanocore wshrat keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a5024b85683de19bd2d065ceb57c611a3dac9746ed9bc5e6939cc5eb5b8011bb

Threat Level: Known bad

The file PO-UPDATE-99077-IMG.exe was found to be: Known bad.

Malicious Activity Summary

nanocore wshrat keylogger persistence spyware stealer trojan

NanoCore

WSHRAT

WSHRAT Payload

Executes dropped EXE

Blocklisted process makes network request

Drops startup file

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-11-05 11:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-11-05 11:37

Reported

2021-11-05 11:43

Platform

win7-en-20211104

Max time kernel

330s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

WSHRAT

trojan wshrat

WSHRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pLMHJ.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pLMHJ.vbs C:\Windows\SysWOW64\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pLMHJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\pLMHJ.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\21691710\\deakoc.pif c:\\21691710\\ajck.upw" C:\21691710\deakoc.pif N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1368 set thread context of 1096 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1772 set thread context of 1380 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1540 set thread context of 1976 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1240 set thread context of 1472 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 948 set thread context of 2008 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1164 set thread context of 804 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1616 set thread context of 1928 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 868 set thread context of 1356 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1832 set thread context of 1536 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1052 set thread context of 972 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1080 set thread context of 1312 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1064 set thread context of 1796 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1960 set thread context of 1156 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1744 set thread context of 804 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1592 set thread context of 1972 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 924 set thread context of 2036 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1128 set thread context of 1584 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1912 set thread context of 1064 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1920 set thread context of 396 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1700 set thread context of 1756 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1776 set thread context of 804 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1092 set thread context of 2004 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 576 set thread context of 1996 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1184 set thread context of 1476 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1740 set thread context of 768 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 396 set thread context of 1880 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 584 set thread context of 668 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1064 set thread context of 604 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1592 set thread context of 1880 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 540 set thread context of 1100 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1728 set thread context of 1768 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1684 set thread context of 1772 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1896 set thread context of 1588 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1696 set thread context of 1196 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1740 set thread context of 1920 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1880 set thread context of 1556 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1216 set thread context of 1952 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1536 set thread context of 684 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1000 set thread context of 1772 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1992 set thread context of 1116 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1152 set thread context of 1112 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 684 set thread context of 1736 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1844 set thread context of 1484 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1880 set thread context of 1072 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1920 set thread context of 1736 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1540 set thread context of 1000 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1844 set thread context of 888 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1788 set thread context of 1716 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1960 set thread context of 1004 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 924 set thread context of 1724 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1152 set thread context of 1584 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 604 set thread context of 1312 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1176 set thread context of 1052 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 980 set thread context of 1196 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1772 set thread context of 288 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1128 set thread context of 1532 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1380 set thread context of 1656 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 396 set thread context of 748 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1108 set thread context of 1756 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1356 set thread context of 1112 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2012 set thread context of 896 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 768 set thread context of 1892 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1092 set thread context of 1184 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1332 set thread context of 1844 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\21691710\deakoc.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 320 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 320 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 320 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 320 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 1368 wrote to memory of 1096 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1368 wrote to memory of 1096 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1368 wrote to memory of 1096 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1368 wrote to memory of 1096 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1368 wrote to memory of 1096 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1368 wrote to memory of 1096 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1368 wrote to memory of 1096 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1368 wrote to memory of 1096 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1368 wrote to memory of 1096 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1096 wrote to memory of 968 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1096 wrote to memory of 968 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1096 wrote to memory of 968 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1096 wrote to memory of 968 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1368 wrote to memory of 532 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1368 wrote to memory of 532 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1368 wrote to memory of 532 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1368 wrote to memory of 532 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 532 wrote to memory of 1772 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 532 wrote to memory of 1772 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 532 wrote to memory of 1772 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 532 wrote to memory of 1772 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1772 wrote to memory of 1380 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1772 wrote to memory of 1380 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1772 wrote to memory of 1380 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1772 wrote to memory of 1380 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1772 wrote to memory of 1380 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1772 wrote to memory of 1380 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1772 wrote to memory of 1380 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1772 wrote to memory of 1380 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1772 wrote to memory of 1380 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1380 wrote to memory of 1476 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1380 wrote to memory of 1476 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1380 wrote to memory of 1476 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1380 wrote to memory of 1476 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1772 wrote to memory of 1372 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1772 wrote to memory of 1372 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1772 wrote to memory of 1372 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1772 wrote to memory of 1372 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1372 wrote to memory of 1540 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1372 wrote to memory of 1540 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1372 wrote to memory of 1540 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1372 wrote to memory of 1540 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif
PID 1540 wrote to memory of 1976 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1540 wrote to memory of 1976 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1540 wrote to memory of 1976 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1540 wrote to memory of 1976 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1540 wrote to memory of 1976 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1540 wrote to memory of 1976 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1540 wrote to memory of 1976 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1540 wrote to memory of 1976 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1540 wrote to memory of 1976 N/A C:\21691710\deakoc.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1976 wrote to memory of 984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1976 wrote to memory of 984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1976 wrote to memory of 984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1540 wrote to memory of 1844 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1540 wrote to memory of 1844 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1540 wrote to memory of 1844 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1540 wrote to memory of 1844 N/A C:\21691710\deakoc.pif C:\Windows\SysWOW64\WScript.exe
PID 1844 wrote to memory of 1240 N/A C:\Windows\SysWOW64\WScript.exe C:\21691710\deakoc.pif

Processes

C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe

"C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\pLMHJ.vbs

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 604 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 288 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\21691710\run.vbs"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 concideritdone.duckdns.org udp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp
US 156.96.151.237:5001 concideritdone.duckdns.org tcp

Files

memory/320-55-0x0000000076761000-0x0000000076763000-memory.dmp

\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1368-60-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\ajck.upw

MD5 388ed3b65c5a99b1c2f76efbefda97f6
SHA1 83a4d9e2a0b577e09e30614664db2c198c7f5300
SHA256 4a0868d349288c62ccd9b06237ea24b3bde932cff05a6a60f44df1a189c399b0
SHA512 81d3077fcf8598ae68b1727decbfdc3d0afd9aca789bcfef387f491582a91289a1118221aca4f4da9ae280adf669b28ee0aa62318521f5d8238894b271a36367

C:\21691710\libqgfu.cpl

MD5 3bdfb69e0871a10905b481d4b7d4fe5c
SHA1 642f4dfebaff6877a55cd39e35e8e72c02c346d6
SHA256 2b64a2310605440c8c3ce0b870e2d3eb641adb3a7cd3526a355dfc9390ead717
SHA512 e5dfab087d7e2f83182353453280a482968cd418a070421fe1733a6ccd0f9ae040ff6be0c101e846eb8147976138e6e584092da93ea9a2747667283520b06f5c

C:\21691710\dwevhxk.nbk

MD5 5295e3beaa081798b0709d5fc3a45531
SHA1 7c3ac34ea24f0852b502362c06238cdcceca7bd2
SHA256 9e13e97ec5fb6cd2c1579a107e855434797d5d67e5f6562b9ac4f4afd76ff53c
SHA512 60a4b3cdea899bde612e57d68b236999d1fe45fe39c0a027d3a44d4117632d0654babe0577576367beca8298f95ebe72750b01d43296bdfa85abcdb2cc219007

memory/1096-66-0x0000000000230000-0x00000000008BB000-memory.dmp

memory/1096-67-0x0000000000230000-0x00000000008BB000-memory.dmp

memory/1096-68-0x00000000002B42AE-mapping.dmp

memory/1096-69-0x0000000000230000-0x00000000008BB000-memory.dmp

memory/968-71-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\pLMHJ.vbs

MD5 952b1cbd78885f81760a77dc3b453fd3
SHA1 4af75b46620b063fc23652c3ecaa3b4081074572
SHA256 fe3f15e4a3d59457c16fb955e38be8df4bfe3a0978a2b09c85705f14bb6d751d
SHA512 1d6f2f6d91f88725b9515b2877348616dee3d96b862014f6c6b54f41b18835483cdf5b6294e99e0fdff17d80d79b27ac70638cab6376b15526b87b592313b837

memory/532-74-0x0000000000000000-mapping.dmp

C:\21691710\run.vbs

MD5 8aef82a3c67b60d3a500008a4979000c
SHA1 3f28c9644306d934b010e72fed6fbe04680cfbf8
SHA256 6897a2bb61cf3de4997d321656075234b6c3eebef593196d8d5296c55d0e6fda
SHA512 16e17c19a388774174656523b327bf1e4c4246c77f42e8910b1faf740129d819834c507d3c44bb8adf82cb123a5689dcc70be756f95a9a54415233a02ddca842

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1772-78-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1380-81-0x0000000000310000-0x0000000000993000-memory.dmp

memory/1380-82-0x0000000000310000-0x0000000000993000-memory.dmp

memory/1380-83-0x00000000003942AE-mapping.dmp

memory/1380-84-0x0000000000310000-0x0000000000993000-memory.dmp

memory/1476-86-0x0000000000000000-mapping.dmp

memory/1372-87-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1540-89-0x0000000000000000-mapping.dmp

memory/1976-92-0x0000000000250000-0x0000000000962000-memory.dmp

memory/1976-94-0x00000000002D42AE-mapping.dmp

memory/1976-93-0x0000000000250000-0x0000000000962000-memory.dmp

memory/1976-95-0x0000000000250000-0x0000000000962000-memory.dmp

memory/984-97-0x0000000000000000-mapping.dmp

memory/1844-98-0x0000000000000000-mapping.dmp

memory/1240-100-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1472-103-0x0000000000290000-0x0000000000888000-memory.dmp

memory/1472-104-0x0000000000290000-0x0000000000888000-memory.dmp

memory/1472-105-0x00000000003142AE-mapping.dmp

memory/1472-106-0x0000000000290000-0x0000000000888000-memory.dmp

memory/1156-108-0x0000000000000000-mapping.dmp

memory/1232-109-0x0000000000000000-mapping.dmp

memory/948-111-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/2008-114-0x0000000000330000-0x0000000000A50000-memory.dmp

memory/2008-115-0x0000000000330000-0x0000000000A50000-memory.dmp

memory/2008-116-0x00000000003B42AE-mapping.dmp

memory/2008-117-0x0000000000330000-0x0000000000A50000-memory.dmp

memory/1500-119-0x0000000000000000-mapping.dmp

memory/1728-120-0x0000000000000000-mapping.dmp

memory/1164-122-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/804-125-0x0000000000270000-0x0000000000753000-memory.dmp

memory/804-126-0x0000000000270000-0x0000000000753000-memory.dmp

memory/804-127-0x00000000002F42AE-mapping.dmp

memory/804-128-0x0000000000270000-0x0000000000753000-memory.dmp

memory/1312-130-0x0000000000000000-mapping.dmp

memory/1380-131-0x0000000000000000-mapping.dmp

memory/1616-133-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1928-136-0x0000000000310000-0x00000000008ED000-memory.dmp

memory/1928-137-0x0000000000310000-0x00000000008ED000-memory.dmp

memory/1928-138-0x00000000003942AE-mapping.dmp

memory/1928-139-0x0000000000310000-0x00000000008ED000-memory.dmp

memory/984-141-0x0000000000000000-mapping.dmp

memory/556-142-0x0000000000000000-mapping.dmp

memory/868-144-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1356-147-0x00000000003E0000-0x0000000000924000-memory.dmp

memory/1356-148-0x00000000003E0000-0x0000000000924000-memory.dmp

memory/1356-149-0x00000000004642AE-mapping.dmp

memory/1356-150-0x00000000003E0000-0x0000000000924000-memory.dmp

memory/1204-152-0x0000000000000000-mapping.dmp

memory/836-153-0x0000000000000000-mapping.dmp

memory/1832-155-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1536-158-0x0000000000340000-0x0000000000A06000-memory.dmp

memory/1536-159-0x0000000000340000-0x0000000000A06000-memory.dmp

memory/1536-160-0x00000000003C42AE-mapping.dmp

memory/1536-161-0x0000000000340000-0x0000000000A06000-memory.dmp

memory/984-163-0x0000000000000000-mapping.dmp

memory/1720-164-0x0000000000000000-mapping.dmp

memory/1052-166-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/972-169-0x0000000000380000-0x000000000099C000-memory.dmp

memory/972-170-0x0000000000380000-0x000000000099C000-memory.dmp

memory/972-171-0x00000000004042AE-mapping.dmp

memory/972-172-0x0000000000380000-0x000000000099C000-memory.dmp

memory/1112-174-0x0000000000000000-mapping.dmp

memory/1736-175-0x0000000000000000-mapping.dmp

memory/1080-177-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1312-180-0x00000000004C0000-0x0000000000BC1000-memory.dmp

memory/1312-182-0x00000000005442AE-mapping.dmp

memory/1724-185-0x0000000000000000-mapping.dmp

memory/288-186-0x0000000000000000-mapping.dmp

memory/1064-188-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1796-193-0x00000000002D42AE-mapping.dmp

memory/1552-196-0x0000000000000000-mapping.dmp

memory/1376-197-0x0000000000000000-mapping.dmp

memory/1960-199-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1156-204-0x00000000004842AE-mapping.dmp

memory/1740-207-0x0000000000000000-mapping.dmp

memory/1052-208-0x0000000000000000-mapping.dmp

memory/1744-210-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/804-215-0x00000000002F42AE-mapping.dmp

memory/1712-218-0x0000000000000000-mapping.dmp

memory/604-219-0x0000000000000000-mapping.dmp

memory/1592-221-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1972-226-0x00000000002D42AE-mapping.dmp

memory/1880-229-0x0000000000000000-mapping.dmp

memory/1356-230-0x0000000000000000-mapping.dmp

memory/924-232-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/2036-237-0x00000000004242AE-mapping.dmp

memory/568-240-0x0000000000000000-mapping.dmp

memory/1472-241-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

Analysis: behavioral2

Detonation Overview

Submitted

2021-11-05 11:37

Reported

2021-11-05 11:43

Platform

win10-en-20211014

Max time kernel

114s

Max time network

314s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\21691710\deakoc.pif N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2668 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 2668 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif
PID 2668 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe C:\21691710\deakoc.pif

Processes

C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe

"C:\Users\Admin\AppData\Local\Temp\PO-UPDATE-99077-IMG.exe"

C:\21691710\deakoc.pif

"C:\21691710\deakoc.pif" ajck.upw

Network

Country Destination Domain Proto
US 52.109.8.19:443 tcp
US 8.8.8.8:53 time.windows.com udp
NL 40.119.148.38:123 time.windows.com udp

Files

memory/4028-115-0x0000000000000000-mapping.dmp

C:\21691710\deakoc.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba