gh0strat | 2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d

Analysis

max time kernel
111s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
Size

1.2MB
MD5

57d8539b07a8651b46feea6f8c5c5ebc
SHA1

40744b617796fb203e1fe56d25c1d224a6cfb7e3
SHA256

2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d
SHA512

396da8cf2eb9a43e1f694f32c800e74c6beca1c4fe832e5a6c55cf943763029223521c85e769ef23095f35f891f418bcc097127aa6d47ff0fc4267b39db35914
SSDEEP

24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJtid:WIwgMEuy+inDfp3/XoCw57XYBwKd

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx vmprotect

Malware Config

Signatures

Detect PurpleFox Rootkit 6 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/308-24-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/308-23-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/2844-50-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/2844-53-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/2844-65-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/2644-70-0x0000000005AF0000-0x0000000005E50000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000800000001739b-14.dat	family_gh0strat
behavioral1/memory/308-24-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/308-23-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/2844-50-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/2844-53-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/2844-65-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/2644-70-0x0000000005AF0000-0x0000000005E50000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Drops file in Drivers directory 1 IoCs

Processes:

Ghiya.exe

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	Ghiya.exe

Server Software Component: Terminal Services DLL 1 TTPs 24 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

AK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259436167.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259439069.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259440489.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259444123.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259434919.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259435465.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259438445.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259441783.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259437868.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259439865.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259442860.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259443531.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259434217.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259435450.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259436183.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259437213.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259441191.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259441206.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259442345.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259442844.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259431129.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259432470.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259437883.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259440473.txt"	AK47.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ghiya.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	Ghiya.exe

Drops startup file 1 IoCs

Processes:

2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe

Executes dropped EXE 64 IoCs

Processes:

AK47.exeAK47.exeAK74.exeGhiya.exeGhiya.exesvchcst.exeAK47.exeAK47.exeAK74.exeGhiya.exeGhiya.exesvchcst.exeAK47.exeAK47.exeAK74.exeGhiya.exeGhiya.exesvchcst.exeAK47.exeAK47.exeAK74.exeGhiya.exeGhiya.exesvchcst.exeAK47.exeAK47.exeAK74.exeGhiya.exeGhiya.exesvchcst.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exeAK47.exeAK47.exeAK74.exeGhiya.exeGhiya.exesvchcst.exeAK47.exeAK47.exeAK74.exeGhiya.exeGhiya.exesvchcst.exeAK47.exeAK47.exeAK74.exeGhiya.exeGhiya.exesvchcst.exeAK47.exeAK47.exeAK74.exeGhiya.exeGhiya.exesvchcst.exeAK47.exeAK47.exeAK74.exeGhiya.exeGhiya.exesvchcst.exeAK47.exeAK47.exeAK74.exe

pid	Process
2376	AK47.exe
1820	AK47.exe
308	AK74.exe
2824	Ghiya.exe
2844	Ghiya.exe
2500	svchcst.exe
1696	AK47.exe
2416	AK47.exe
1208	AK74.exe
2636	Ghiya.exe
1776	Ghiya.exe
2432	svchcst.exe
2992	AK47.exe
960	AK47.exe
2068	AK74.exe
1768	Ghiya.exe
1636	Ghiya.exe
3016	svchcst.exe
2212	AK47.exe
568	AK47.exe
1928	AK74.exe
2548	Ghiya.exe
1712	Ghiya.exe
2744	svchcst.exe
2980	AK47.exe
308	AK47.exe
2760	AK74.exe
2776	Ghiya.exe
2608	Ghiya.exe
1292	svchcst.exe
1516	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
2148	AK47.exe
2420	AK47.exe
528	AK74.exe
1208	Ghiya.exe
2036	Ghiya.exe
2716	svchcst.exe
1656	AK47.exe
852	AK47.exe
1380	AK74.exe
1884	Ghiya.exe
1140	Ghiya.exe
1636	svchcst.exe
2284	AK47.exe
1832	AK47.exe
3008	AK74.exe
1788	Ghiya.exe
1676	Ghiya.exe
2268	svchcst.exe
1604	AK47.exe
2156	AK47.exe
596	AK74.exe
2428	Ghiya.exe
2800	Ghiya.exe
840	svchcst.exe
2612	AK47.exe
2648	AK47.exe
2108	AK74.exe
2276	Ghiya.exe
588	Ghiya.exe
1836	svchcst.exe
1208	AK47.exe
2540	AK47.exe
2288	AK74.exe

Loads dropped DLL 64 IoCs

Processes:

2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exeAK47.exesvchost.exeGhiya.exeWScript.exesvchcst.exeAK47.exeGhiya.exesvchcst.exeAK47.exeAK47.exeGhiya.exesvchcst.exeAK47.exeGhiya.exesvchcst.exeAK47.exeAK47.exeGhiya.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exesvchcst.exeAK47.exeAK47.exeGhiya.exesvchcst.exeAK47.exeAK47.exeGhiya.exesvchcst.exeAK47.exeGhiya.exesvchcst.exeAK47.exeGhiya.exesvchcst.exeAK47.exeAK47.exeGhiya.exesvchcst.exeAK47.exe

pid	Process
2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
2376	AK47.exe
2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
2692	svchost.exe
2824	Ghiya.exe
2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
2644	WScript.exe
2500	svchcst.exe
2500	svchcst.exe
1696	AK47.exe
2500	svchcst.exe
2636	Ghiya.exe
2432	svchcst.exe
2432	svchcst.exe
2992	AK47.exe
960	AK47.exe
2432	svchcst.exe
1768	Ghiya.exe
3016	svchcst.exe
3016	svchcst.exe
2212	AK47.exe
3016	svchcst.exe
2548	Ghiya.exe
2744	svchcst.exe
2744	svchcst.exe
2980	AK47.exe
308	AK47.exe
2744	svchcst.exe
2776	Ghiya.exe
2692	svchost.exe
1516	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
1292	svchcst.exe
1292	svchcst.exe
2148	AK47.exe
2420	AK47.exe
1292	svchcst.exe
1208	Ghiya.exe
2716	svchcst.exe
2716	svchcst.exe
1656	AK47.exe
852	AK47.exe
2716	svchcst.exe
1884	Ghiya.exe
1636	svchcst.exe
1636	svchcst.exe
2284	AK47.exe
1636	svchcst.exe
1788	Ghiya.exe
2268	svchcst.exe
2268	svchcst.exe
2156	AK47.exe
2268	svchcst.exe
2428	Ghiya.exe
840	svchcst.exe
840	svchcst.exe
2612	AK47.exe
2648	AK47.exe
840	svchcst.exe
2276	Ghiya.exe
1836	svchcst.exe
1836	svchcst.exe
1208	AK47.exe

VMProtect packed file 43 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/2492-0-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2492-1-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/files/0x0007000000017481-60.dat	vmprotect
behavioral1/memory/2500-72-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2500-113-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2432-115-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2432-150-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/3016-158-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/3016-195-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2744-226-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1292-232-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2492-231-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1292-260-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2716-296-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1636-321-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2268-353-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/840-355-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/840-383-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1836-415-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1972-441-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1640-469-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/3016-499-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2368-505-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2368-537-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1964-538-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1964-562-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1492-567-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1492-595-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2376-623-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2120-628-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2120-654-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/440-657-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/440-687-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/3068-707-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2520-712-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2520-736-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2272-755-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2388-783-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1284-804-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1344-808-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1344-830-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1404-854-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2884-880-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe

Drops file in System32 directory 64 IoCs

Processes:

AK47.exeAK47.exeAK47.exeAK47.exeAK47.exesvchost.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK74.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\259436183.txt	AK47.exe
File created	C:\Windows\SysWOW64\259443531.txt	AK47.exe
File created	C:\Windows\SysWOW64\259433235.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File created	C:\Windows\SysWOW64\259432470.txt	AK47.exe
File created	C:\Windows\SysWOW64\259435450.txt	AK47.exe
File created	C:\Windows\SysWOW64\259434935.txt	AK47.exe
File created	C:\Windows\SysWOW64\259436667.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259439069.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259441783.txt	AK47.exe
File created	C:\Windows\SysWOW64\Ghiya.exe	AK74.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259434217.txt	AK47.exe
File created	C:\Windows\SysWOW64\259434217.txt	AK47.exe
File created	C:\Windows\SysWOW64\259437213.txt	AK47.exe
File created	C:\Windows\SysWOW64\259437868.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259442345.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\Ghiya.exe	AK74.exe
File created	C:\Windows\SysWOW64\259432470.txt	AK47.exe
File created	C:\Windows\SysWOW64\259444139.txt	AK47.exe
File created	C:\Windows\SysWOW64\259444123.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259439865.txt	AK47.exe
File created	C:\Windows\SysWOW64\259442345.txt	AK47.exe
File created	C:\Windows\SysWOW64\259443531.txt	AK47.exe
File created	C:\Windows\SysWOW64\259436667.txt	AK47.exe
File created	C:\Windows\SysWOW64\259438445.txt	AK47.exe
File created	C:\Windows\SysWOW64\259437883.txt	AK47.exe
File created	C:\Windows\SysWOW64\259440489.txt	AK47.exe
File created	C:\Windows\SysWOW64\259441783.txt	AK47.exe
File created	C:\Windows\SysWOW64\259442844.txt	AK47.exe
File created	C:\Windows\SysWOW64\259431129.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\259437213.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259438445.txt	AK47.exe
File created	C:\Windows\SysWOW64\259441206.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259440473.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259431129.txt	AK47.exe
File created	C:\Windows\SysWOW64\259434919.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259435465.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259439865.txt	AK47.exe
File created	C:\Windows\SysWOW64\259442860.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259433203.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259439085.txt	AK47.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/308-21-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/308-24-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/308-23-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2844-50-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2844-53-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2844-65-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2644-70-0x0000000005AF0000-0x0000000005E50000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

PING.EXEAK47.exePING.EXEGhiya.exeAK47.exeAK74.exesvchcst.exesvchcst.exeAK47.exesvchcst.exeAK74.exeAK74.exeAK47.exeAK74.exeAK47.exeAK47.exeAK47.exeAK47.exeGhiya.execmd.exeAK74.exeAK74.exeAK47.exeAK74.exeAK74.exesvchcst.execmd.exesvchcst.execmd.execmd.exesvchcst.exeAK47.exeAK74.execmd.exeAK74.exeGhiya.exePING.EXEGhiya.execmd.exeAK74.exeGhiya.exeAK74.exeGhiya.execmd.exeAK47.exePING.EXEAK74.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exePING.EXEcmd.exePING.EXEPING.EXEPING.EXEcmd.exePING.EXEcmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exePING.EXEPING.EXEcmd.execmd.exePING.EXEcmd.execmd.exePING.EXEPING.EXEcmd.exePING.EXEcmd.execmd.exePING.EXEcmd.execmd.exePING.EXEPING.EXEPING.EXEPING.EXEcmd.exePING.EXEPING.EXE

pid	Process
2600	cmd.exe
1356	PING.EXE
2700
1828
3012	cmd.exe
1036	PING.EXE
1504	PING.EXE
3064	PING.EXE
620	cmd.exe
860	PING.EXE
2992	cmd.exe
2572
2196
1904	cmd.exe
2076	cmd.exe
1208
1900
1368
2424	cmd.exe
2192
3028	cmd.exe
1460	cmd.exe
1336	cmd.exe
3008
3064
520
2312	cmd.exe
1764	PING.EXE
1916	PING.EXE
2084	cmd.exe
1764	cmd.exe
1760
1252
2764	PING.EXE
2276	cmd.exe
308	cmd.exe
1492	PING.EXE
1208	PING.EXE
2876	cmd.exe
2516
2812
2604	PING.EXE
1788	cmd.exe
2196	cmd.exe
1600
2744
440
2468	PING.EXE
2416
2780
2304	cmd.exe
1380	cmd.exe
1552
2120
1760	PING.EXE
1048
2108	PING.EXE
2720	PING.EXE
2808
1028
1776	PING.EXE
2576	cmd.exe
3060	PING.EXE
2084	PING.EXE

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
1548	PING.EXE
1760
960
2752
296	PING.EXE
2528	PING.EXE
1032	PING.EXE
2468	PING.EXE
2396	PING.EXE
2192	PING.EXE
2216	PING.EXE
1492	PING.EXE
1572
620	PING.EXE
1764	PING.EXE
288
1492	PING.EXE
2304
1868	PING.EXE
2796	PING.EXE
284	PING.EXE
2484	PING.EXE
1792
2992
2728
3024
2700	PING.EXE
2744
2196
2108	PING.EXE
624	PING.EXE
1788	PING.EXE
1808
2316	PING.EXE
1268
624
2408
1208
1936	PING.EXE
3064	PING.EXE
1696
1972
1964	PING.EXE
1628	PING.EXE
884
2600	PING.EXE
600
440
1448	PING.EXE
1780
2604
2024
1576	PING.EXE
288	PING.EXE
404	PING.EXE
264
2160
2088	PING.EXE
912
2388
2360
1920
1764	PING.EXE
1640

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe

pid	Process
2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WScript.exe

pid	Process
2644	WScript.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

Ghiya.exe

pid	Process
2844	Ghiya.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe

pid	Process
2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AK74.exeGhiya.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exe

description	pid	Process
Token: SeIncBasePriorityPrivilege	308	AK74.exe
Token: SeLoadDriverPrivilege	2844	Ghiya.exe
Token: SeIncBasePriorityPrivilege	1208	AK74.exe
Token: SeIncBasePriorityPrivilege	2068	AK74.exe
Token: SeIncBasePriorityPrivilege	1928	AK74.exe
Token: SeIncBasePriorityPrivilege	2760	AK74.exe
Token: SeIncBasePriorityPrivilege	528	AK74.exe
Token: SeIncBasePriorityPrivilege	1380	AK74.exe
Token: SeIncBasePriorityPrivilege	3008	AK74.exe
Token: SeIncBasePriorityPrivilege	596	AK74.exe
Token: SeIncBasePriorityPrivilege	2108	AK74.exe
Token: SeIncBasePriorityPrivilege	2288	AK74.exe
Token: SeIncBasePriorityPrivilege	1092	AK74.exe
Token: SeIncBasePriorityPrivilege	2504	AK74.exe
Token: SeIncBasePriorityPrivilege	2568	AK74.exe
Token: SeIncBasePriorityPrivilege	1356	AK74.exe
Token: SeIncBasePriorityPrivilege	1756	AK74.exe
Token: SeIncBasePriorityPrivilege	568	AK74.exe
Token: SeIncBasePriorityPrivilege	2948	AK74.exe
Token: SeIncBasePriorityPrivilege	832	AK74.exe
Token: SeIncBasePriorityPrivilege	1312	AK74.exe
Token: SeIncBasePriorityPrivilege	892	AK74.exe
Token: SeIncBasePriorityPrivilege	2344	AK74.exe
Token: SeIncBasePriorityPrivilege	1400	AK74.exe
Token: SeIncBasePriorityPrivilege	1360	AK74.exe
Token: SeIncBasePriorityPrivilege	2232	AK74.exe
Token: SeIncBasePriorityPrivilege	1752	AK74.exe
Token: SeIncBasePriorityPrivilege	2052	AK74.exe
Token: SeIncBasePriorityPrivilege	308	AK74.exe
Token: SeIncBasePriorityPrivilege	112	AK74.exe
Token: SeIncBasePriorityPrivilege	1036	AK74.exe
Token: SeIncBasePriorityPrivilege	2824	AK74.exe
Token: SeIncBasePriorityPrivilege	2792	AK74.exe
Token: SeIncBasePriorityPrivilege	2960	AK74.exe
Token: SeIncBasePriorityPrivilege	3020	AK74.exe
Token: SeIncBasePriorityPrivilege	1876	AK74.exe
Token: SeIncBasePriorityPrivilege	2284	AK74.exe
Token: SeIncBasePriorityPrivilege	3016	AK74.exe
Token: SeIncBasePriorityPrivilege	2724	AK74.exe
Token: SeIncBasePriorityPrivilege	1720	AK74.exe
Token: SeIncBasePriorityPrivilege	3028	AK74.exe
Token: SeIncBasePriorityPrivilege	2284	AK74.exe
Token: SeIncBasePriorityPrivilege	2656	AK74.exe
Token: SeIncBasePriorityPrivilege	2172	AK74.exe
Token: SeIncBasePriorityPrivilege	1636	AK74.exe
Token: SeIncBasePriorityPrivilege	2760	AK74.exe
Token: SeIncBasePriorityPrivilege	2284	AK74.exe
Token: SeIncBasePriorityPrivilege	2808	AK74.exe
Token: SeIncBasePriorityPrivilege	2316	AK74.exe
Token: SeIncBasePriorityPrivilege	2196	AK74.exe
Token: SeIncBasePriorityPrivilege	528	AK74.exe
Token: SeIncBasePriorityPrivilege	1040	AK74.exe
Token: SeIncBasePriorityPrivilege	3008	AK74.exe
Token: SeIncBasePriorityPrivilege	2172	AK74.exe
Token: SeIncBasePriorityPrivilege	2088	AK74.exe
Token: SeIncBasePriorityPrivilege	1092	AK74.exe
Token: SeIncBasePriorityPrivilege	2252	AK74.exe
Token: SeIncBasePriorityPrivilege	2808	AK74.exe
Token: SeIncBasePriorityPrivilege	1380	AK74.exe
Token: SeIncBasePriorityPrivilege	2088	AK74.exe
Token: SeIncBasePriorityPrivilege	340	AK74.exe
Token: SeIncBasePriorityPrivilege	2284	AK74.exe
Token: SeIncBasePriorityPrivilege	2224	AK74.exe
Token: SeIncBasePriorityPrivilege	2972	AK74.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	Process
2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
2500	svchcst.exe
2500	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
1292	svchcst.exe
1292	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
1636	svchcst.exe
1636	svchcst.exe
2268	svchcst.exe
2268	svchcst.exe
840	svchcst.exe
840	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1640	svchcst.exe
1640	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
2368	svchcst.exe
2368	svchcst.exe
1964	svchcst.exe
1964	svchcst.exe
1492	svchcst.exe
1492	svchcst.exe
2376	svchcst.exe
2376	svchcst.exe
2120	svchcst.exe
2120	svchcst.exe
440	svchcst.exe
440	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2272	svchcst.exe
2272	svchcst.exe
2388	svchcst.exe
2388	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1344	svchcst.exe
1344	svchcst.exe
1404	svchcst.exe
1404	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2364	svchcst.exe
2364	svchcst.exe
1040	svchcst.exe
1040	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exeAK74.exeGhiya.execmd.exeWScript.exesvchcst.exeGhiya.exeAK74.exe

description	pid	Process	procid_target
PID 2492 wrote to memory of 2376	2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	30
PID 2492 wrote to memory of 2376	2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	30
PID 2492 wrote to memory of 2376	2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	30
PID 2492 wrote to memory of 2376	2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	30
PID 2492 wrote to memory of 1820	2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	31
PID 2492 wrote to memory of 1820	2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	31
PID 2492 wrote to memory of 1820	2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	31
PID 2492 wrote to memory of 1820	2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	31
PID 2492 wrote to memory of 308	2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	32
PID 2492 wrote to memory of 308	2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	32
PID 2492 wrote to memory of 308	2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	32
PID 2492 wrote to memory of 308	2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	32
PID 2492 wrote to memory of 308	2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	32
PID 2492 wrote to memory of 308	2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	32
PID 2492 wrote to memory of 308	2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	32
PID 308 wrote to memory of 2732	308	AK74.exe	36
PID 308 wrote to memory of 2732	308	AK74.exe	36
PID 308 wrote to memory of 2732	308	AK74.exe	36
PID 308 wrote to memory of 2732	308	AK74.exe	36
PID 2824 wrote to memory of 2844	2824	Ghiya.exe	38
PID 2824 wrote to memory of 2844	2824	Ghiya.exe	38
PID 2824 wrote to memory of 2844	2824	Ghiya.exe	38
PID 2824 wrote to memory of 2844	2824	Ghiya.exe	38
PID 2824 wrote to memory of 2844	2824	Ghiya.exe	38
PID 2824 wrote to memory of 2844	2824	Ghiya.exe	38
PID 2824 wrote to memory of 2844	2824	Ghiya.exe	38
PID 2732 wrote to memory of 2764	2732	cmd.exe	39
PID 2732 wrote to memory of 2764	2732	cmd.exe	39
PID 2732 wrote to memory of 2764	2732	cmd.exe	39
PID 2732 wrote to memory of 2764	2732	cmd.exe	39
PID 2492 wrote to memory of 2644	2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	40
PID 2492 wrote to memory of 2644	2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	40
PID 2492 wrote to memory of 2644	2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	40
PID 2492 wrote to memory of 2644	2492	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	40
PID 2644 wrote to memory of 2500	2644	WScript.exe	42
PID 2644 wrote to memory of 2500	2644	WScript.exe	42
PID 2644 wrote to memory of 2500	2644	WScript.exe	42
PID 2644 wrote to memory of 2500	2644	WScript.exe	42
PID 2500 wrote to memory of 1696	2500	svchcst.exe	43
PID 2500 wrote to memory of 1696	2500	svchcst.exe	43
PID 2500 wrote to memory of 1696	2500	svchcst.exe	43
PID 2500 wrote to memory of 1696	2500	svchcst.exe	43
PID 2500 wrote to memory of 2416	2500	svchcst.exe	44
PID 2500 wrote to memory of 2416	2500	svchcst.exe	44
PID 2500 wrote to memory of 2416	2500	svchcst.exe	44
PID 2500 wrote to memory of 2416	2500	svchcst.exe	44
PID 2500 wrote to memory of 1208	2500	svchcst.exe	45
PID 2500 wrote to memory of 1208	2500	svchcst.exe	45
PID 2500 wrote to memory of 1208	2500	svchcst.exe	45
PID 2500 wrote to memory of 1208	2500	svchcst.exe	45
PID 2500 wrote to memory of 1208	2500	svchcst.exe	45
PID 2500 wrote to memory of 1208	2500	svchcst.exe	45
PID 2500 wrote to memory of 1208	2500	svchcst.exe	45
PID 2636 wrote to memory of 1776	2636	Ghiya.exe	48
PID 2636 wrote to memory of 1776	2636	Ghiya.exe	48
PID 2636 wrote to memory of 1776	2636	Ghiya.exe	48
PID 2636 wrote to memory of 1776	2636	Ghiya.exe	48
PID 2636 wrote to memory of 1776	2636	Ghiya.exe	48
PID 2636 wrote to memory of 1776	2636	Ghiya.exe	48
PID 2636 wrote to memory of 1776	2636	Ghiya.exe	48
PID 1208 wrote to memory of 2284	1208	AK74.exe	47
PID 1208 wrote to memory of 2284	1208	AK74.exe	47
PID 1208 wrote to memory of 2284	1208	AK74.exe	47
PID 1208 wrote to memory of 2284	1208	AK74.exe	47

C:\Users\Admin\AppData\Local\Temp\2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
"C:\Users\Admin\AppData\Local\Temp\2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\AK47.exe
  "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\AK47.exe
  C:\Users\Admin\AppData\Local\Temp\\AK47.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1820
- C:\Users\Admin\AppData\Local\Temp\AK74.exe
  C:\Users\Admin\AppData\Local\Temp\\AK74.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:2764
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1208
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2284
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:964
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:960
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1540
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1840
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3016
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:2212
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:568
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1928
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2276
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2108
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:308
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2244
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:3060
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1292
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:2148
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:528
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2500
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2640
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:852
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:1656
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1380
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:404
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1556
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:2284
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:1832
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1904
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2968
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:308
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:876
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:840
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2108
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2312
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:860
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:1208
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:2540
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2288
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1628
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:284
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Drops file in System32 directory
      PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Drops file in System32 directory
      PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1092
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1048
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:964
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Drops file in System32 directory
      PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Drops file in System32 directory
      PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1540
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2396
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3016
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Drops file in System32 directory
      PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Drops file in System32 directory
      PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2776
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:832
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Drops file in System32 directory
      PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2568
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1592
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2580
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Drops file in System32 directory
      PID:620
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Drops file in System32 directory
      PID:960
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1356
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:296
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Drops file in System32 directory
      PID:1828
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Drops file in System32 directory
      PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1596
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:796
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Drops file in System32 directory
      PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Drops file in System32 directory
      PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:568
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1600
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2504
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Drops file in System32 directory
      PID:2108
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Drops file in System32 directory
      PID:1916
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2760
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2600
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:440
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Drops file in System32 directory
      PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Drops file in System32 directory
      PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1140
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1964
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:900
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1460
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1492
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:892
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2160
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2240
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2572
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:796
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2756
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2192
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1284
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1360
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:620
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2760
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2232
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1380
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1964
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1404
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2020
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2216
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1268
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2396
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2304
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:3000
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:308
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1292
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1760
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2668
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:1628
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:284
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1652
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1496
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2888
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1040
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1492
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1576
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:520
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2792
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1720
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1776
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3028
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2604
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2940
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1788
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2264
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2504
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1836
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1972
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1372
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1096
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2284
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1688
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2084
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1572
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2216
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2512
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1764
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2948
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1720
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1336
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2580
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2312
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3012
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:624
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1040
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2284
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:876
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2272
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1920
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2084
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2352
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3044
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2172
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:3020
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:904
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2504
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2136
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2264
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1548
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1268
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2284
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1748
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2668
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1832
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:624
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2808
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1580
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1492
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2316
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2216
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1912
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:904
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:900
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:288
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2196
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2904
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2500
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:528
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1312
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1764
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2240
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1040
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1628
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1936
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1460
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2308
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2352
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:852
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1868
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1380
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:796
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2244
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2172
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2624
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1316
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1844
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1504
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2368
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1036
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:692
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3036
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1092
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2428
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1344
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1500
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2052
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2252
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2528
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2700
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2808
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1960
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2076
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1380
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1028
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1504
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2148
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1400
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2084
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1208
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2396
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1796
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2284
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1372
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:284
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2600
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2528
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:876
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:960
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1400
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1748
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2980
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1044
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1632
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1860
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1820
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1040
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2252
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2424
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1460
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1600
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1840
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:884
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:620
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1356
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2672
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1808
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2880
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2148
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1296
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2124
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:960
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1612
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2948
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:636
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1632
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2240
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2452
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1964
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:892
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2108
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:316
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:284
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1596
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1928
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1572
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1372
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1556
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1828
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2988
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2116
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2312
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2376
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1312
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2516
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2160
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1764
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:284
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:316
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2576
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2992
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1844
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2196
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2804
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1828
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1796
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2056
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1916
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1336
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3060
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:636
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2396
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3004
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2304
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:316
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2800
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2484
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1360
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1716
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3064
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1032
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:620
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1916
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:568
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2088
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2512
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1656
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:860
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2136
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2816
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1356
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:960
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2608
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1472
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1788
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1360
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2144
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1032
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1040
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1092
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:568
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:832
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1596
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:860
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:112
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1852
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:892
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2020
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1312
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:288
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1140
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:596
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:296
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:964
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1448
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2868
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1404
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3024
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:832
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1860
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:340
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3044
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:532
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2432
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1284
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2120
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2876
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:288
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2276
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1844
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2088
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:920
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3008
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1936
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2868
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:404
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1032
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1448
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2316
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2136
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2272
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:960
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:440
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2248
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1764
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1312
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:904
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1832
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2792
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1640
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2288
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1004
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2088
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2196
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:596
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1056
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2892
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1404
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2388
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3032
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1760
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1368
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1268
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1196
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2264
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:624
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:692
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2800
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:952
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1848
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1312
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1356
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2804
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2468
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2888
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:532
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2108
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2144
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2796
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2840
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2424
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2076
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3016
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2876
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1108
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:904
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:592
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1584
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2992
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2720
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:952
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1608
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1012
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2780
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2700
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1768
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2872
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2380
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2172
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1156
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1748
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2280
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1612
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:624
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:264
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1580
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2640
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:892
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1780
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2504
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:3020
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2880
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1936
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2284
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2540
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2452
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:588
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1576
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1928
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1908
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:112
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1312
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2056
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2076
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1356

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
PID:2784

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2692
- C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
  C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259431129.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1516

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2844

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:1776

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:1636

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:1712

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:2608

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1208
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:2036

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1884
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:1140

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:1676

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:2800

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1838070164-887594363-513095651-142795291612257220801443297738960770667-1967937717"
1⤵
PID:2420

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3004
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:960

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2904
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2676

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1712
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2728

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1316
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2340

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2828
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2140

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1920
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:860

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1788
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2564

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1768
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2344

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2960
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "42798280810003210221361198746-830404715-23437665115186084541829384400-403017962"
1⤵
PID:1648

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:920
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1409899681-1730589348-864928140520535342654069164221331864534193679-1142992437"
1⤵
PID:1836

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1336
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2032

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2156
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2020

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2424
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "928926487631167806-741267082-371893150844220106-1976907396-422052994-1940985764"
1⤵
PID:2108

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1032
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1556

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:920
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1696

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1928
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12523199151805352665-1146397883-208182584513130372714181755001495458525-985424694"
1⤵
PID:1592

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2152
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2968

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2876
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2380

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2384
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2988

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:884
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1028

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2288
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2980

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1092
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1688

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3016
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-103640834361726058-6087543751327132993-725871179-369446918-782532213-1741735140"
1⤵
PID:2380

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3044
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-510405492165618741208189685311602757016310093211906880729-1168788777-415179127"
1⤵
PID:2988

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1976
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1504

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2720
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2728

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2804
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1964

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1920
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1156

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:832
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2360

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1356
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "753369639548918945111459018718992852891549602475805968944-2037109030-1738405462"
1⤵
PID:284

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2992
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2672

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2052
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18544516681674643699-1441107119-1855085114-205714627010635741271707751861-1133160133"
1⤵
PID:2816

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2700
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8972964951224027088478807801-1666996465-232614558-1843443928-1610124834-1567032778"
1⤵
PID:1156

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2120
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2600

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:2276
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2904

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2980
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2672

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:2860
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2884

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2140
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:852

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:112
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1904

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2148
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2368

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2152
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2520

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1964
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2528

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1336
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2964

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2972
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2028

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1720
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2056

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2212
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2396

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2516
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2424

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2144
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1983761485512338484454774432-1371725580-15640256823261718-1095047491317316318"
1⤵
PID:2668

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2676
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3052

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2728
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2416

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2640
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1876

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2824
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2780

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1852
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2380

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1056
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1676

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:2056
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2776

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2288
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:912

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2156
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "559439176306312782-10512046791905947940-903405278-1916728992992018-1769501199"
1⤵
PID:2904

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2700
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2015515542-422208061210257678721254836601455066410-149037259719427745621244045038"
1⤵
PID:876

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1844
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1604

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2940
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:528

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3036
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2980

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2724
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:532

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1972
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5371693791107655347-183415985-1729092976826737690-447074286618056311-1272038345"
1⤵
PID:1600

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2172
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:884

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1648
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:528

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:404
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1012

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2280
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2340

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:624
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1435737242-1716865120-1371354856-858271070520503187284235798591038109-1675054241"
1⤵
PID:2972

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1316
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1692

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1868
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2292

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:340
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:832

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:1840
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1498826756-817702434-16243859683585518631779710396-743327434-21442838491534883569"
1⤵
PID:2656

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2672
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1604

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2028
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2988

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1720
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3036

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2888
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1808

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2252
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2052

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:3060
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2304

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1936
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1676

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:520
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2668

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2640
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15370040325887851510906370026736746402028956653-1683621343263951045225880530"
1⤵
PID:2148

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2260
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5734556091209860277-80104381418292201291589855321153000769-3096415852085051833"
1⤵
PID:1580

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:884
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1356

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2368
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1048

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2284
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20841334051541879656-1506901810-1500611410-1541852954111571214218638760351413643581"
1⤵
PID:1828

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3032
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-347834291-1299952162-1357142090-553288360-411033123-1507259660-119846647-851460516"
1⤵
PID:1796

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1904
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2452

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2352
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1253758883499272977-1066984901017095833-341627482-2362969901869328719-957428946"
1⤵
PID:2216

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1472
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1296

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1776
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-141529116418127032311282175471-5352971796356334561216256861-10798317382138831261"
1⤵
PID:340

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3012
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "246767127-21326481803833564161904169570-10405839758327329301612832600567731573"
1⤵
PID:832

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2452
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2580

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3068
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2384

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2504
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2216

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2980
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2868

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2900
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1976

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1928
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2704

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:904
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1400

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2368
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2852

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1720
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1015475197-1977001910-2826924591178038753-589139911-1296969078-1270946121-1244724267"
1⤵
PID:2572

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2088
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1628

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:1704
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14328429682021955138179745853639266248146172718569933001011576649381767174808"
1⤵
PID:1196

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2224
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-79264161017643389741622455495532958601-481235369968024821-1956305541688573662"
1⤵
PID:1360

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1356
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:892

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1924
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3008

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2328
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1344

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1208
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1540

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2352
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1908

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2808
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2236

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1640
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "31278174-1468100015-5366179621320808855-1296981376-516851443-665507106-1755105006"
1⤵
PID:2292

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2368
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:964

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1776
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1904

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2948
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8519146561448140565-1931016697-1778839220717371142917454978636371741892872174"
1⤵
PID:2520

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2572
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
29ce53e2a4a446614ccc8d64d346bde4

SHA1
39a7aa5cc1124842aa0c25abb16ea94452125cbe

SHA256
56225be6838bc6e93ea215891eacf28844ae27a9f8b2b29bf19d3a8c2b1f58df

SHA512
b2c5a2708c427171a5715801f8ea733ffe88d73aaaaf59c5c752ea32cbe7aae8526cc26eabe84ad5043174c0c69b1d6b15a9fb125c15accfac3462d5d08a0faa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
662bc4355f42962866c741a22a5b76f1

SHA1
79be0dc0561eefbbeb227e4885036169fec5d349

SHA256
80f2e607b19a148f92a6906e2956739e8d266736137d2df069182eade7a45393

SHA512
d0f28d66399083bcf692557023fab09ae700980cb0bf789b301f9907fd65aa07f4d41c15627cfd239033c712633bacbf4248c44425014ba14f0409a614a64244

Download Submit
C:\Windows\SysWOW64\ini.ini

Filesize
45B

MD5
8738bcaf9f5600cf3f4c2c09432d61fb

SHA1
e06a1a617e6805649ff4989444d85c9da94f3499

SHA256
bb42604e3b86ba2f3518f339830b2ca9ee2a725e754149c2e8f5d5c541f1e283

SHA512
c44e50614841697ba846a5620e170d72eb31ddec062fb509d355e47e7fee0980ed91b5c7b4b0b9a4b190967933557003585a848f98e82a8aa0aedcbfc4ee69bb

Download Submit
\Users\Admin\AppData\Local\Temp\AK47.exe

Filesize
91KB

MD5
423eb994ed553294f8a6813619b8da87

SHA1
eca6a16ccd13adcfc27bc1041ddef97ec8081255

SHA256
050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

SHA512
fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

Download Submit
\Users\Admin\AppData\Local\Temp\AK74.exe

Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
bd17ecfc65b9065e2d6cc7ba0b2bc5a1

SHA1
4b182952e943efe5968e5fa04858dd3b7a7a072b

SHA256
e7f3796961cc8e98b25eb65fc039b2e4ac35e0861632951f282a5718ad1d09bc

SHA512
06489a4f06a2521f99606ac47c9bd4dad23926e9cb3a5b826ceecc799ff803659092108ffcbda93eb1e539f60400ba18f396ee0b72ea3b7529bda21c0916403e

Download Submit
\Windows\SysWOW64\259431129.txt

Filesize
49KB

MD5
c6f34b279d163cba37834c6ce76cfcaf

SHA1
5e59d22f3b892d2cd793f30000e3d503aee01aef

SHA256
764a8636454a3ee9d3c4d06ca75ddf9a4a3be89b2bd61a13a8fd61e12d4534cb

SHA512
57ed668f5eb3fe04b5a1dc658529e5c56dd81cbe7b1d7a98b51e7c32537bcbc5b7bad0812ca8ae8ba60d73808a935ef00b7133945ce23c00487db6761ebb449a

Download Submit
memory/308-23-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/308-21-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/308-24-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/440-687-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/440-657-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/840-383-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/840-355-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1284-804-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1292-260-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1292-232-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1344-808-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1344-830-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1404-854-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1492-595-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1492-567-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1636-321-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1640-469-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1836-415-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1964-538-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1964-562-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1972-441-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2120-628-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2120-654-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2268-353-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2272-755-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2368-537-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2368-505-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2376-623-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2388-783-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2432-150-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2432-115-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2492-231-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2492-63-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/2492-297-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/2492-1-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2492-0-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2492-62-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/2492-324-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/2500-72-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2500-113-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2520-736-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2520-712-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2644-70-0x0000000005AF0000-0x0000000005E50000-memory.dmp

Filesize
3.4MB

Download
memory/2644-354-0x0000000005AF0000-0x0000000005E50000-memory.dmp

Filesize
3.4MB

Download
memory/2716-296-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2744-226-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2844-65-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2844-53-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2844-50-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2884-880-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/3016-499-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/3016-195-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/3016-158-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/3068-707-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download