gh0strat | 2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d

Analysis

max time kernel
75s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
Size

1.2MB
MD5

57d8539b07a8651b46feea6f8c5c5ebc
SHA1

40744b617796fb203e1fe56d25c1d224a6cfb7e3
SHA256

2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d
SHA512

396da8cf2eb9a43e1f694f32c800e74c6beca1c4fe832e5a6c55cf943763029223521c85e769ef23095f35f891f418bcc097127aa6d47ff0fc4267b39db35914
SSDEEP

24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJtid:WIwgMEuy+inDfp3/XoCw57XYBwKd

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx vmprotect

Malware Config

Signatures

Detect PurpleFox Rootkit 7 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/1752-30-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/1752-31-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/1352-39-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/1352-38-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/3552-49-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/3552-53-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/3552-54-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023c97-17.dat	family_gh0strat
behavioral2/memory/1752-30-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/1752-31-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/1352-39-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/1352-38-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/3552-49-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/3552-53-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/3552-54-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Drops file in Drivers directory 1 IoCs

Processes:

Ghiya.exe

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	Ghiya.exe

Server Software Component: Terminal Services DLL 1 TTPs 17 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

AK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240635890.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240636593.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240628296.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240628890.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240629468.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240630109.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240631281.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240633046.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240635203.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240638703.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240639953.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240639968.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240626906.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240629484.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240630687.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240632421.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240636609.txt"	AK47.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ghiya.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	Ghiya.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchcst.exesvchcst.exe2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchcst.exe

Drops startup file 1 IoCs

Processes:

2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe

Executes dropped EXE 64 IoCs

Processes:

AK47.exeAK47.exeAK74.exeGhiya.exeGhiya.exesvchcst.exeAK47.exeAK47.exeAK74.exeGhiya.exeGhiya.exesvchcst.exeAK47.exeAK47.exeAK74.exeGhiya.exeGhiya.exesvchcst.exeAK47.exeAK47.exeAK74.exeGhiya.exeGhiya.exesvchcst.exeAK47.exeAK47.exeAK74.exeGhiya.exeGhiya.exesvchcst.exeAK47.exeAK47.exeAK74.exeGhiya.exeGhiya.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exesvchcst.exeAK47.exeAK47.exeAK74.exeGhiya.exeGhiya.exesvchcst.exeAK47.exeAK47.exeAK74.exeGhiya.exeGhiya.exesvchcst.exeAK47.exeAK47.exeAK74.exeGhiya.exeGhiya.exesvchcst.exeAK47.exeAK47.exeAK74.exeGhiya.exeGhiya.exesvchcst.exeAK47.exeAK47.exeAK74.exe

pid	Process
4888	AK47.exe
3144	AK47.exe
1752	AK74.exe
1352	Ghiya.exe
3552	Ghiya.exe
4824	svchcst.exe
2872	AK47.exe
800	AK47.exe
4796	AK74.exe
3560	Ghiya.exe
668	Ghiya.exe
1016	svchcst.exe
4636	AK47.exe
3104	AK47.exe
2428	AK74.exe
4052	Ghiya.exe
4372	Ghiya.exe
4244	svchcst.exe
2036	AK47.exe
3612	AK47.exe
1980	AK74.exe
3292	Ghiya.exe
3164	Ghiya.exe
1968	svchcst.exe
2112	AK47.exe
4496	AK47.exe
3624	AK74.exe
4452	Ghiya.exe
640	Ghiya.exe
3068	svchcst.exe
2728	AK47.exe
4172	AK47.exe
4396	AK74.exe
2588	Ghiya.exe
3388	Ghiya.exe
1972	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
2272	svchcst.exe
1652	AK47.exe
1000	AK47.exe
3620	AK74.exe
4644	Ghiya.exe
428	Ghiya.exe
3512	svchcst.exe
3596	AK47.exe
1348	AK47.exe
4512	AK74.exe
1476	Ghiya.exe
464	Ghiya.exe
3788	svchcst.exe
5032	AK47.exe
2052	AK47.exe
4900	AK74.exe
4364	Ghiya.exe
1524	Ghiya.exe
2136	svchcst.exe
3576	AK47.exe
60	AK47.exe
2596	AK74.exe
1404	Ghiya.exe
2728	Ghiya.exe
3332	svchcst.exe
4716	AK47.exe
4060	AK47.exe
8	AK74.exe

Loads dropped DLL 23 IoCs

Processes:

AK47.exesvchost.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exe

pid	Process
3144	AK47.exe
1300	svchost.exe
2872	AK47.exe
4636	AK47.exe
3612	AK47.exe
2036	AK47.exe
2112	AK47.exe
2728	AK47.exe
1972	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
1652	AK47.exe
3596	AK47.exe
2052	AK47.exe
3576	AK47.exe
4716	AK47.exe
4728	AK47.exe
5012	AK47.exe
3196	AK47.exe
3292	AK47.exe
4960	AK47.exe
1596	AK47.exe
580	AK47.exe
1764	AK47.exe
4636	AK47.exe

VMProtect packed file 35 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/4820-0-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/4820-1-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/files/0x0007000000023c9c-59.dat	vmprotect
behavioral2/memory/4824-66-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/4824-102-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/1016-146-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/4244-193-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/1968-236-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/3068-276-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/2272-308-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/3512-337-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/3788-368-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/4820-369-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/2136-370-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/2136-401-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/3332-430-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/4364-461-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/2672-493-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/3068-528-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/1948-558-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/4332-589-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/5000-618-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/3156-639-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/3688-666-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/3624-695-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/4564-698-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/4564-725-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/1804-752-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/828-779-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/4512-807-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/2100-834-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/4484-862-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/3192-889-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/4276-916-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/1804-943-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe

Drops file in System32 directory 57 IoCs

Processes:

AK74.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exesvchost.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exeAK47.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ghiya.exe	AK74.exe
File created	C:\Windows\SysWOW64\240631812.txt	AK47.exe
File created	C:\Windows\SysWOW64\240628296.txt	AK47.exe
File created	C:\Windows\SysWOW64\240629468.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\240630109.txt	AK47.exe
File created	C:\Windows\SysWOW64\240632421.txt	AK47.exe
File created	C:\Windows\SysWOW64\240630687.txt	AK47.exe
File created	C:\Windows\SysWOW64\240632421.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\Ghiya.exe	AK74.exe
File created	C:\Windows\SysWOW64\240629484.txt	AK47.exe
File created	C:\Windows\SysWOW64\240631281.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\240635203.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\240639968.txt	AK47.exe
File created	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File created	C:\Windows\SysWOW64\240637187.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\240630687.txt	AK47.exe
File created	C:\Windows\SysWOW64\240633625.txt	AK47.exe
File created	C:\Windows\SysWOW64\240636609.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File created	C:\Windows\SysWOW64\240633046.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\240635890.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\240633625.txt	AK47.exe
File created	C:\Windows\SysWOW64\240635890.txt	AK47.exe
File created	C:\Windows\SysWOW64\240636593.txt	AK47.exe
File created	C:\Windows\SysWOW64\240639296.txt	AK47.exe
File created	C:\Windows\SysWOW64\240626906.txt	AK47.exe
File created	C:\Windows\SysWOW64\240631281.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\240631812.txt	AK47.exe
File created	C:\Windows\SysWOW64\240638703.txt	AK47.exe
File created	C:\Windows\SysWOW64\240626906.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\240635203.txt	AK47.exe
File created	C:\Windows\SysWOW64\240639953.txt	AK47.exe
File created	C:\Windows\SysWOW64\240628296.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\240637187.txt	AK47.exe
File created	C:\Windows\SysWOW64\240638703.txt	AK47.exe
File created	C:\Windows\SysWOW64\240639296.txt	AK47.exe
File created	C:\Windows\SysWOW64\240628890.txt	AK47.exe
File created	C:\Windows\SysWOW64\240628890.txt	AK47.exe
File created	C:\Windows\SysWOW64\240630109.txt	AK47.exe
File created	C:\Windows\SysWOW64\240633046.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1752-28-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/1752-30-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/1752-31-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/1352-39-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/1352-36-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/1352-38-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/3552-49-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/3552-53-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/3552-54-0x0000000010000000-0x00000000101BA000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
1876	3596	WerFault.exe	158
4312	4060	WerFault.exe	190
4780	4960	WerFault.exe	230
4036	3036	WerFault.exe	229
4600	580	WerFault.exe	251
4436	580	WerFault.exe	251

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeAK47.execmd.exeGhiya.exeGhiya.exeAK47.exeAK74.exeAK47.exeAK74.execmd.exePING.EXEPING.EXEAK74.exeAK47.exeAK47.exeAK74.exeGhiya.exesvchcst.exesvchcst.execmd.exesvchcst.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exeAK47.exeGhiya.exeAK47.exeAK47.exePING.EXEPING.EXEsvchcst.exeAK47.execmd.exeAK74.execmd.exeGhiya.exeAK47.exesvchcst.exeAK47.exeAK74.exeAK74.exeGhiya.exeAK47.exeAK74.exeAK47.exeGhiya.exeAK74.exeAK47.execmd.exeGhiya.exeAK47.exeGhiya.execmd.exeAK74.exeAK74.exeAK47.exeAK47.execmd.exePING.EXEGhiya.exePING.EXEPING.EXEAK47.exeAK74.execmd.exeAK47.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEcmd.execmd.exePING.EXEcmd.exePING.EXEcmd.exePING.EXEPING.EXEPING.EXEcmd.execmd.exePING.EXEPING.EXEPING.EXEcmd.exePING.EXEPING.EXEPING.EXEPING.EXEcmd.execmd.execmd.exePING.EXEPING.EXEPING.EXEcmd.execmd.exePING.EXEPING.EXEcmd.exePING.EXEPING.EXEcmd.execmd.execmd.exePING.EXEcmd.execmd.exePING.EXEPING.EXEcmd.exePING.EXEcmd.execmd.execmd.exePING.EXEPING.EXEcmd.execmd.exePING.EXEcmd.exePING.EXEcmd.exePING.EXE

pid	Process
2412	PING.EXE
1664	cmd.exe
1656	cmd.exe
3352	PING.EXE
2304	cmd.exe
3604	PING.EXE
2836	cmd.exe
2276	PING.EXE
4784	PING.EXE
4276
1952	PING.EXE
1516	cmd.exe
800	cmd.exe
4924	PING.EXE
4020	PING.EXE
4704
2248
3088	PING.EXE
2020	cmd.exe
3644	PING.EXE
4556	PING.EXE
3644	PING.EXE
2588	PING.EXE
2100	cmd.exe
1040	cmd.exe
1984	cmd.exe
3984	PING.EXE
3300
312	PING.EXE
3560	PING.EXE
3068	cmd.exe
4544	cmd.exe
4544
2636
3144	PING.EXE
668	PING.EXE
1488	cmd.exe
4964	PING.EXE
3292
3776	PING.EXE
2328	cmd.exe
1244	cmd.exe
4636	cmd.exe
5108	PING.EXE
2420	cmd.exe
1992
3224	cmd.exe
4024	PING.EXE
4040	PING.EXE
4656	cmd.exe
1244	PING.EXE
1520	cmd.exe
3564	cmd.exe
452	cmd.exe
5060	PING.EXE
1652	PING.EXE
2572	cmd.exe
2836
644	cmd.exe
432	PING.EXE
4544	cmd.exe
2588	PING.EXE
2404	cmd.exe
848	PING.EXE

Modifies registry class 2 IoCs

Processes:

2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exeWScript.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
2020	PING.EXE
3144	PING.EXE
852	PING.EXE
4956	PING.EXE
1956	PING.EXE
4040	PING.EXE
4512	PING.EXE
1228	PING.EXE
2736
3076	PING.EXE
3940	PING.EXE
2112	PING.EXE
1680	PING.EXE
1952	PING.EXE
1016	PING.EXE
2672
4708
3988	PING.EXE
3560	PING.EXE
2052	PING.EXE
1484	PING.EXE
1788	PING.EXE
4040	PING.EXE
2836
3624	PING.EXE
4268	PING.EXE
2888	PING.EXE
668	PING.EXE
4628	PING.EXE
2872	PING.EXE
3080	PING.EXE
1204	PING.EXE
3604	PING.EXE
1060	PING.EXE
432	PING.EXE
4452
4024	PING.EXE
4220	PING.EXE
3388	PING.EXE
848	PING.EXE
3352	PING.EXE
3024
1052	PING.EXE
1352	PING.EXE
4416	PING.EXE
3064	PING.EXE
3844	PING.EXE
4964	PING.EXE
4364	PING.EXE
4784	PING.EXE
3288
4776	PING.EXE
852	PING.EXE
1524	PING.EXE
3620	PING.EXE
736	PING.EXE
5052	PING.EXE
5060	PING.EXE
640
3776	PING.EXE
4036	PING.EXE
2276	PING.EXE
4656	PING.EXE
312	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe

pid	Process
4820	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
4820	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
4820	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
4820	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
4820	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
4820	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
4820	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
4820	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WScript.exe

pid	Process
1616	WScript.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

Ghiya.exe

pid	Process
3552	Ghiya.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe

pid	Process
4820	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AK74.exeGhiya.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exeAK74.exe

description	pid	Process
Token: SeIncBasePriorityPrivilege	1752	AK74.exe
Token: SeLoadDriverPrivilege	3552	Ghiya.exe
Token: SeIncBasePriorityPrivilege	4796	AK74.exe
Token: SeIncBasePriorityPrivilege	2428	AK74.exe
Token: SeIncBasePriorityPrivilege	1980	AK74.exe
Token: SeIncBasePriorityPrivilege	3624	AK74.exe
Token: SeIncBasePriorityPrivilege	4396	AK74.exe
Token: SeIncBasePriorityPrivilege	3620	AK74.exe
Token: SeIncBasePriorityPrivilege	4512	AK74.exe
Token: SeIncBasePriorityPrivilege	4900	AK74.exe
Token: SeIncBasePriorityPrivilege	2596	AK74.exe
Token: SeIncBasePriorityPrivilege	8	AK74.exe
Token: SeIncBasePriorityPrivilege	1488	AK74.exe
Token: SeIncBasePriorityPrivilege	2644	AK74.exe
Token: SeIncBasePriorityPrivilege	1880	AK74.exe
Token: SeIncBasePriorityPrivilege	1752	AK74.exe
Token: SeIncBasePriorityPrivilege	3232	AK74.exe
Token: SeIncBasePriorityPrivilege	1744	AK74.exe
Token: SeIncBasePriorityPrivilege	2256	AK74.exe
Token: SeIncBasePriorityPrivilege	968	AK74.exe
Token: SeIncBasePriorityPrivilege	3388	AK74.exe
Token: SeIncBasePriorityPrivilege	4884	AK74.exe
Token: SeIncBasePriorityPrivilege	1852	AK74.exe
Token: SeIncBasePriorityPrivilege	3292	AK74.exe
Token: SeIncBasePriorityPrivilege	2416	AK74.exe
Token: SeIncBasePriorityPrivilege	3956	AK74.exe
Token: SeIncBasePriorityPrivilege	4992	AK74.exe
Token: SeIncBasePriorityPrivilege	2264	AK74.exe
Token: SeIncBasePriorityPrivilege	4344	AK74.exe
Token: SeIncBasePriorityPrivilege	4520	AK74.exe
Token: SeIncBasePriorityPrivilege	2804	AK74.exe
Token: SeIncBasePriorityPrivilege	4308	AK74.exe
Token: SeIncBasePriorityPrivilege	1804	AK74.exe
Token: SeIncBasePriorityPrivilege	2148	AK74.exe
Token: SeIncBasePriorityPrivilege	2696	AK74.exe
Token: SeIncBasePriorityPrivilege	4644	AK74.exe
Token: SeIncBasePriorityPrivilege	1652	AK74.exe
Token: SeIncBasePriorityPrivilege	4060	AK74.exe
Token: SeIncBasePriorityPrivilege	4556	AK74.exe
Token: SeIncBasePriorityPrivilege	3292	AK74.exe
Token: SeIncBasePriorityPrivilege	5000	AK74.exe
Token: SeIncBasePriorityPrivilege	4036	AK74.exe
Token: SeIncBasePriorityPrivilege	4564	AK74.exe
Token: SeIncBasePriorityPrivilege	3224	AK74.exe
Token: SeIncBasePriorityPrivilege	3232	AK74.exe
Token: SeIncBasePriorityPrivilege	1052	AK74.exe
Token: SeIncBasePriorityPrivilege	3540	AK74.exe
Token: SeIncBasePriorityPrivilege	1784	AK74.exe
Token: SeIncBasePriorityPrivilege	4060	AK74.exe
Token: SeIncBasePriorityPrivilege	5104	AK74.exe
Token: SeIncBasePriorityPrivilege	1064	AK74.exe
Token: SeIncBasePriorityPrivilege	4060	AK74.exe
Token: SeIncBasePriorityPrivilege	4640	AK74.exe
Token: SeIncBasePriorityPrivilege	1784	AK74.exe
Token: SeIncBasePriorityPrivilege	2700	AK74.exe
Token: SeIncBasePriorityPrivilege	3276	AK74.exe
Token: SeIncBasePriorityPrivilege	4312	AK74.exe
Token: SeIncBasePriorityPrivilege	1168	AK74.exe
Token: SeIncBasePriorityPrivilege	3320	AK74.exe
Token: SeIncBasePriorityPrivilege	1804	AK74.exe
Token: SeIncBasePriorityPrivilege	4556	AK74.exe
Token: SeIncBasePriorityPrivilege	1984	AK74.exe
Token: 33	3552	Ghiya.exe
Token: SeIncBasePriorityPrivilege	3552	Ghiya.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	Process
4820	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
4820	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
4824	svchcst.exe
4824	svchcst.exe
1016	svchcst.exe
1016	svchcst.exe
4244	svchcst.exe
4244	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
2272	svchcst.exe
2272	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3788	svchcst.exe
3788	svchcst.exe
2136	svchcst.exe
2136	svchcst.exe
3332	svchcst.exe
3332	svchcst.exe
4364	svchcst.exe
4364	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
1948	svchcst.exe
1948	svchcst.exe
4332	svchcst.exe
4332	svchcst.exe
5000	svchcst.exe
5000	svchcst.exe
3156	svchcst.exe
3156	svchcst.exe
3688	svchcst.exe
3688	svchcst.exe
3624	svchcst.exe
3624	svchcst.exe
4564	svchcst.exe
4564	svchcst.exe
1804	svchcst.exe
1804	svchcst.exe
828	svchcst.exe
828	svchcst.exe
4512	svchcst.exe
4512	svchcst.exe
2100	svchcst.exe
2100	svchcst.exe
4484	svchcst.exe
4484	svchcst.exe
3192	svchcst.exe
3192	svchcst.exe
4276	svchcst.exe
4276	svchcst.exe
1804	svchcst.exe
1804	svchcst.exe
4644	svchcst.exe
4644	svchcst.exe
4872	svchcst.exe
4872	svchcst.exe
4520	svchcst.exe
4520	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exeAK74.exeGhiya.execmd.exeWScript.exesvchcst.exeAK74.exeGhiya.execmd.exesvchcst.exeAK74.exeGhiya.execmd.exe

description	pid	Process	procid_target
PID 4820 wrote to memory of 4888	4820	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	85
PID 4820 wrote to memory of 4888	4820	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	85
PID 4820 wrote to memory of 4888	4820	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	85
PID 4820 wrote to memory of 3144	4820	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	174
PID 4820 wrote to memory of 3144	4820	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	174
PID 4820 wrote to memory of 3144	4820	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	174
PID 4820 wrote to memory of 1752	4820	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	90
PID 4820 wrote to memory of 1752	4820	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	90
PID 4820 wrote to memory of 1752	4820	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	90
PID 1752 wrote to memory of 1440	1752	AK74.exe	93
PID 1752 wrote to memory of 1440	1752	AK74.exe	93
PID 1752 wrote to memory of 1440	1752	AK74.exe	93
PID 1352 wrote to memory of 3552	1352	Ghiya.exe	94
PID 1352 wrote to memory of 3552	1352	Ghiya.exe	94
PID 1352 wrote to memory of 3552	1352	Ghiya.exe	94
PID 4820 wrote to memory of 1616	4820	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	96
PID 4820 wrote to memory of 1616	4820	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	96
PID 4820 wrote to memory of 1616	4820	2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe	96
PID 1440 wrote to memory of 4040	1440	cmd.exe	97
PID 1440 wrote to memory of 4040	1440	cmd.exe	97
PID 1440 wrote to memory of 4040	1440	cmd.exe	97
PID 1616 wrote to memory of 4824	1616	WScript.exe	99
PID 1616 wrote to memory of 4824	1616	WScript.exe	99
PID 1616 wrote to memory of 4824	1616	WScript.exe	99
PID 4824 wrote to memory of 2872	4824	svchcst.exe	223
PID 4824 wrote to memory of 2872	4824	svchcst.exe	223
PID 4824 wrote to memory of 2872	4824	svchcst.exe	223
PID 4824 wrote to memory of 800	4824	svchcst.exe	185
PID 4824 wrote to memory of 800	4824	svchcst.exe	185
PID 4824 wrote to memory of 800	4824	svchcst.exe	185
PID 4824 wrote to memory of 4796	4824	svchcst.exe	102
PID 4824 wrote to memory of 4796	4824	svchcst.exe	102
PID 4824 wrote to memory of 4796	4824	svchcst.exe	102
PID 4796 wrote to memory of 3196	4796	AK74.exe	218
PID 4796 wrote to memory of 3196	4796	AK74.exe	218
PID 4796 wrote to memory of 3196	4796	AK74.exe	218
PID 3560 wrote to memory of 668	3560	Ghiya.exe	106
PID 3560 wrote to memory of 668	3560	Ghiya.exe	106
PID 3560 wrote to memory of 668	3560	Ghiya.exe	106
PID 3196 wrote to memory of 312	3196	cmd.exe	107
PID 3196 wrote to memory of 312	3196	cmd.exe	107
PID 3196 wrote to memory of 312	3196	cmd.exe	107
PID 1616 wrote to memory of 1016	1616	WScript.exe	108
PID 1616 wrote to memory of 1016	1616	WScript.exe	108
PID 1616 wrote to memory of 1016	1616	WScript.exe	108
PID 1016 wrote to memory of 4636	1016	svchcst.exe	263
PID 1016 wrote to memory of 4636	1016	svchcst.exe	263
PID 1016 wrote to memory of 4636	1016	svchcst.exe	263
PID 1016 wrote to memory of 3104	1016	svchcst.exe	110
PID 1016 wrote to memory of 3104	1016	svchcst.exe	110
PID 1016 wrote to memory of 3104	1016	svchcst.exe	110
PID 1016 wrote to memory of 2428	1016	svchcst.exe	111
PID 1016 wrote to memory of 2428	1016	svchcst.exe	111
PID 1016 wrote to memory of 2428	1016	svchcst.exe	111
PID 2428 wrote to memory of 4352	2428	AK74.exe	113
PID 2428 wrote to memory of 4352	2428	AK74.exe	113
PID 2428 wrote to memory of 4352	2428	AK74.exe	113
PID 4052 wrote to memory of 4372	4052	Ghiya.exe	274
PID 4052 wrote to memory of 4372	4052	Ghiya.exe	274
PID 4052 wrote to memory of 4372	4052	Ghiya.exe	274
PID 4352 wrote to memory of 3080	4352	cmd.exe	116
PID 4352 wrote to memory of 3080	4352	cmd.exe	116
PID 4352 wrote to memory of 3080	4352	cmd.exe	116
PID 1616 wrote to memory of 4244	1616	WScript.exe	117

C:\Users\Admin\AppData\Local\Temp\2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe
"C:\Users\Admin\AppData\Local\Temp\2b5fcf1a8a9c500c3f68ee772bd45e583cb6ee8b4838009b0d2df49f4f89b44d.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Users\Admin\AppData\Local\Temp\AK47.exe
  "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4888
- C:\Users\Admin\AppData\Local\Temp\AK47.exe
  C:\Users\Admin\AppData\Local\Temp\\AK47.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:3144
- C:\Users\Admin\AppData\Local\Temp\AK74.exe
  C:\Users\Admin\AppData\Local\Temp\\AK74.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      PID:4040
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:2872
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:800
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3196
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:312
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1016
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:4636
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:3104
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4352
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3080
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4244
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:3612
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4348
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3088
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:2112
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:4496
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1764
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1052
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:2728
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:4172
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4396
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:852
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:3688
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:1652
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:1000
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1244
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2408
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3512
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:3596
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 436
        5⤵
        Program crash
        
        PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:1348
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1188
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:3224
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3788
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:5032
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:2052
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4900
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3144
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2020
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:3576
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:60
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2152
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:800
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2412
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3332
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:4060
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 348
        5⤵
        Program crash
        
        PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:8
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:968
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:3776
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Loads dropped DLL
      Drops file in System32 directory
      PID:4728
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Drops file in System32 directory
      PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1488
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3224
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1188
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4024
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Drops file in System32 directory
      PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Loads dropped DLL
      Drops file in System32 directory
      PID:5012
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2644
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:644
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1952
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Loads dropped DLL
      Drops file in System32 directory
      PID:3196
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Loads dropped DLL
      Drops file in System32 directory
      PID:3292
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2696
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:4636
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Drops file in System32 directory
      PID:3036
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 348
        5⤵
        Program crash
        
        PID:4036
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      PID:4960
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 424
        5⤵
        Program crash
        
        PID:4780
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3320
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1352
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4332
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Loads dropped DLL
      Drops file in System32 directory
      PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Drops file in System32 directory
      PID:4544
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3232
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1664
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3776
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:5000
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:580
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 420
        5⤵
        Program crash
        
        PID:4600
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 500
        5⤵
        Program crash
        
        PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Drops file in System32 directory
      PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1520
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4628
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:312
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:3156
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Loads dropped DLL
      Drops file in System32 directory
      PID:4636
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Loads dropped DLL
      Drops file in System32 directory
      PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2256
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4544
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4372
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4416
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:3688
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1208
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3436
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:4600
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:3624
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4448
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3388
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3104
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:4168
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:4564
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:824
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3780
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4840
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1244
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1756
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1352
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:536
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2644
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:828
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:5008
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3724
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3292
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2020
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1952
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3144
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:4512
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4296
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:668
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2416
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1664
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:8
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1484
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:2100
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4468
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3956
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4840
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3644
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:4484
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3368
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4960
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2728
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3104
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:4436
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:3192
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4980
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1488
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2264
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2700
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4776
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:4276
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1520
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4268
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4348
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2888
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:4644
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3160
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2264
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1652
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:4564
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4872
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4004
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4620
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4308
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:644
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1348
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4520
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:828
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4388
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:668
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3560
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3280
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2148
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4312
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4036
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:4328
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1652
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4052
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1516
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4220
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4644
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2212
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3988
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:3236
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3232
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4388
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1652
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:800
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3956
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1060
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:3144
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:644
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4544
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2588
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1232
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:772
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1652
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:3724
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4620
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3292
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4220
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2872
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:828
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4116
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4060
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3228
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2656
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:4484
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:3156
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4448
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4540
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2276
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:312
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4260
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4612
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:768
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4656
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:644
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3076
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2404
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4556
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:432
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4784
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3232
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1232
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2100
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1412
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4780
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1280
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2328
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3560
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:3076
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:32
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4396
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3624
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:3068
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:4472
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3368
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3232
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1352
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1764
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2644
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3764
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4728
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3564
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3644
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:5000
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:5052
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:452
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4040
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:2920
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4628
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4980
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1064
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:3292
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:3732
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4728
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2404
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:968
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:5036
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3780
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4720
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2328
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:3036
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:4520
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4628
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1244
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4512
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1808
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4492
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:512
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2700
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1188
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:852
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:3732
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3192
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3276
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4396
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1516
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2008
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4172
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:5036
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4052
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:224
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:512
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4960
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1168
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2148
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3228
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:736
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:2124
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:580
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3236
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3320
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1488
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1352
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3280
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:4640
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:312
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3724
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:4312
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4520
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3788
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1168
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:452
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:3852
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:768
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4344
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4348
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1280
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2804
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3388
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1760
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4220
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1348
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:5052
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4628
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4896
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2588
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4332
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:536
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4268
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3276
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1788
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4548
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4512
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3076
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:644
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3160
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3940
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:1184
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2788
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1348
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3784
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1168
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1440
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:756
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1848
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3144
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5036
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:3844
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:4540
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:676
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3604
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2276
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:4472
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:4328
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:368
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3188
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4196
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1952
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:4020
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4492
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1808
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:852
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:2264
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:668
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3620
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2100
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4448
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4628
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:880
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1228
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4980
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3388
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:4920
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4116
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3660
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4060
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2112
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:60
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4544
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4004
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3068
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4036
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1032
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:1016
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3436
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:5012
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2380
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4884
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:4728
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3044
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4472
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:32
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1204
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4040
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4636
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:848
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:60
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:536
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2736
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3088
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3604
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3288
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1280
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4560
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3724
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2484
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1680
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4484
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4620
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2136
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2644
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4728
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1524
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3388
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1652
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3188
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3560
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4964
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:848
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4004
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3276
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4544
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4364
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2212
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:676
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1804
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1760
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3064
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4492
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4172
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3236
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4656
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1016
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4052
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1184
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2836
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5052
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1848
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:312
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1992
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:772
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1984
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:4548
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3100
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:640
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:828
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1656
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:824
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4320
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3888
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4540
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3040
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2100
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1228
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4500
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3224
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4520
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3292
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4040
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4104
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2472
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3620
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4924
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1032
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2124
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1356
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1040
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3940
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:3100
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:736
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3044
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1208
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1168
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4628
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:580
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3352
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4036
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1880
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:4416
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3160
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2064
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2272
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4040
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5108
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2004
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2892
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4512
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1956
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3228
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3188
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2420
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2136
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5060
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:736
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3224
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1416
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4708
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4396
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1652
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4268
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2024
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3620
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3076
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1280
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3844
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:4620
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4508
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3892
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:5016
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3228
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2272
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3624
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3988
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1708
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4196
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4344
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1496
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1352
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4080
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:432
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2248
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2712
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1852
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2004
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:968
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2328
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:3228
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3220
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1656
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:756
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2888
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4476
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3236
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2288
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:432
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4492
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3144
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2052
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:404
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3644
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3096
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3844
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4872
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2276
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:644
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4004
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:3292
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4396
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3712
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2480
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4956
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3244
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3644
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4900
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:668
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3852
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2984
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4172
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3788
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2304
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1884
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3560
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1348
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3392
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1984
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1060
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:220
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1496
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4784
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4728
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4448
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4156
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4592
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4020
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1228
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4544
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4348
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:60
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5036
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:8
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4508
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2712
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3984
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1652
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4704
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4308
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4492
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:432
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4340
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:668
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3232
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3044
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:4896
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3288
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4540
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3956
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2572
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:684
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:368
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3224
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1236
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4472
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3604

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
PID:1188

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:1300
- C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
  C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240626906.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1972

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:3552

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:668

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:4372

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
PID:3292
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:3164

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
PID:4452
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:640

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
PID:2588
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:3388

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
PID:4644
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3596 -ip 3596
1⤵
PID:4372

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
PID:1476
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:464

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
PID:4364
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:1524

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1404
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4060 -ip 4060
1⤵
PID:4444

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4804
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3232

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:5052
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4628

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3320
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2112

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2872
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3036 -ip 3036
1⤵
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4960 -ip 4960
1⤵
PID:1404

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1784
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2012

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1064
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 580 -ip 580
1⤵
PID:3392

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1848
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 580 -ip 580
1⤵
PID:1488

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1352
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3096

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:684
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1984

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4748
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1820

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1984
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1664

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:5104
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4872

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3564
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2728

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:968
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4564

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:1244
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1520

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:3224
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:828

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1404
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3560

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4636
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4308

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4544
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:580

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3392
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2256

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 9qSHcJymP0CteioRg+9DsQ.0.2
1⤵
PID:4776

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:312
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3368

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2728
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4472

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4468
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4004

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3292
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:32

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3228
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2588

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4628
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1412

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:4644
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2656

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4052
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4504

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3732
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3852

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3320
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:684

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:2888
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1188

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3764
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3392

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:1652
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1956

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1784
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1352

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3764
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2256

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:2276
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4004

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4332
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3236

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2708
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:800

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4888
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1952

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2436
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:5072

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4444
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4992

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3776
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:828

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4916
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4332

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4900
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3940

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3564
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3312

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1708
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1784

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2588
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4872

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:880
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3540

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1444
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2480

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:1664
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2264

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:5016
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4880

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2100
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3660

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4612

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2836
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4884

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:772
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1084

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4720
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2012

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1680

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:3788
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4296

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2404
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3484

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3644
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1412

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:32
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4496

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2708
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2480

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3160
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4840

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3312
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3604

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3036
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4916

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2404
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4924

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2052
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1764

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:800
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4080

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2968
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2572

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2436
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4964

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1556
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3984

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1960
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3220

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2220
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:404

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2984
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2436

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3232
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2872

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3688
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2328

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2920
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2100

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3484
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:368

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3620
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4840

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1884
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1040

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2920
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3036

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4624
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4504

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4268
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4004

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3752
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4364

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1352
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4916

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2984
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2660

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2872
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3320

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4896
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3052

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3040
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3296

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1184
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4496

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1496
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3160

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2640
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3412

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3024
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1060

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2900
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:4296

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4580
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4812

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3188
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3040

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1440
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:736

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1188
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2136

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:968
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1480

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4620
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:376

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1952
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3232

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2012
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1848

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4220
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1236

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1064
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4476

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:368
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4276

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3028
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3276

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:536
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4340

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3196
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2012

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4716
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:220

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:5012
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2912

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:640
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1524

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2064
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2672

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4156
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AK47.exe

Filesize
91KB

MD5
423eb994ed553294f8a6813619b8da87

SHA1
eca6a16ccd13adcfc27bc1041ddef97ec8081255

SHA256
050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

SHA512
fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

Download Submit
C:\Users\Admin\AppData\Local\Temp\AK74.exe

Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
29ce53e2a4a446614ccc8d64d346bde4

SHA1
39a7aa5cc1124842aa0c25abb16ea94452125cbe

SHA256
56225be6838bc6e93ea215891eacf28844ae27a9f8b2b29bf19d3a8c2b1f58df

SHA512
b2c5a2708c427171a5715801f8ea733ffe88d73aaaaf59c5c752ea32cbe7aae8526cc26eabe84ad5043174c0c69b1d6b15a9fb125c15accfac3462d5d08a0faa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
67d2cbb8d97c73309e3f4e2f27b4306e

SHA1
9856ca2e88b78c776c6f78d8d1981f503ed96702

SHA256
c6243c233acc346f04b357447bbd13f4c5f48966b0d708e6558202f1f6936bc8

SHA512
2a2145b6f97e68ff6b1b52f16216ab64e84918a9c102bde22b383fe6f58bca1572b8f4ddf52e80700939cd2712977f34f8fb1400c9a3b5d7ab46338b10d03b6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
414030a06ca2c29b8200863d54d40500

SHA1
e1e6ec129f856c2e85accb5ea7f141a54e14b018

SHA256
da9eaa5dc9a8047441d45e97d28bf3e66af984e1e1e986d4dba58afa480d1914

SHA512
0e2c3403c10f876180a57e84078bc1f4d60b309a7026f2b1fec6dd895594ef20b0163b36494407de9a9a294c117a737391d2e1f056a6c5c946c74e101731c3ec

Download Submit
C:\Windows\SysWOW64\240626906.txt

Filesize
49KB

MD5
c6f34b279d163cba37834c6ce76cfcaf

SHA1
5e59d22f3b892d2cd793f30000e3d503aee01aef

SHA256
764a8636454a3ee9d3c4d06ca75ddf9a4a3be89b2bd61a13a8fd61e12d4534cb

SHA512
57ed668f5eb3fe04b5a1dc658529e5c56dd81cbe7b1d7a98b51e7c32537bcbc5b7bad0812ca8ae8ba60d73808a935ef00b7133945ce23c00487db6761ebb449a

Download Submit
C:\Windows\SysWOW64\ini.ini

Filesize
45B

MD5
8738bcaf9f5600cf3f4c2c09432d61fb

SHA1
e06a1a617e6805649ff4989444d85c9da94f3499

SHA256
bb42604e3b86ba2f3518f339830b2ca9ee2a725e754149c2e8f5d5c541f1e283

SHA512
c44e50614841697ba846a5620e170d72eb31ddec062fb509d355e47e7fee0980ed91b5c7b4b0b9a4b190967933557003585a848f98e82a8aa0aedcbfc4ee69bb

Download Submit
memory/828-779-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1016-146-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1352-39-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/1352-36-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/1352-38-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/1752-31-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/1752-28-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/1752-30-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/1804-752-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1804-943-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1948-558-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1968-236-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2100-834-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2136-370-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2136-401-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2272-308-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2672-493-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/3068-276-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/3068-528-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/3156-639-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/3192-889-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/3332-430-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/3512-337-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/3552-53-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/3552-49-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/3552-54-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/3624-695-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/3688-666-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/3788-368-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4244-193-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4276-916-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4332-589-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4364-461-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4484-862-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4512-807-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4564-698-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4564-725-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4820-0-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4820-369-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4820-1-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4824-66-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4824-102-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/5000-618-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download