Analysis Overview
SHA256
902dfdc18da500c313fe36c85f26b3dc72c9e87cb946cd8e97ec03549b656f21
Threat Level: Known bad
The file 902dfdc18da500c313fe36c85f26b3dc72c9e87cb946cd8e97ec03549b656f21 was found to be: Known bad.
Malicious Activity Summary
Gh0strat family
PurpleFox
Purplefox family
Gh0strat
Detect PurpleFox Rootkit
Gh0st RAT payload
Server Software Component: Terminal Services DLL
Drops file in Drivers directory
Sets service image path in registry
Drops startup file
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
VMProtect packed file
Adds Run key to start application
Drops file in System32 directory
UPX packed file
System Location Discovery: System Language Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Program crash
Runs ping.exe
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious behavior: LoadsDriver
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 19:39
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 19:39
Reported
2024-11-07 19:41
Platform
win7-20240903-en
Max time kernel
122s
Max time network
149s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
PurpleFox
Purplefox family
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\QAssist.sys | C:\Windows\SysWOW64\Ghiya.exe | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259442579.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259446198.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259444763.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259444779.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259443094.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259448023.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259448741.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259450488.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259451315.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259451346.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259440379.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259441456.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259444186.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259445449.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259450083.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259451768.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259439225.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259442002.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259449272.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259443624.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259448726.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259449256.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259440925.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259447992.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259450067.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259446635.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259447337.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" | C:\Windows\SysWOW64\Ghiya.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk | C:\Users\Admin\AppData\Local\Temp\902dfdc18da500c313fe36c85f26b3dc72c9e87cb946cd8e97ec03549b656f21.exe | N/A |
Executes dropped EXE
Loads dropped DLL
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" | C:\Users\Admin\AppData\Local\Temp\902dfdc18da500c313fe36c85f26b3dc72c9e87cb946cd8e97ec03549b656f21.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\259445449.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259446635.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\259443094.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259443624.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259449272.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ghiya.exe | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| File created | C:\Windows\SysWOW64\259446214.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259447992.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259443094.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259450067.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259439225.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghiya.exe | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| File created | C:\Windows\SysWOW64\259441471.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259447353.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\259440379.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259443624.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259451346.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259440925.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259444186.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259444763.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259444779.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259445449.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259440379.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259448023.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259451768.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259439225.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259442002.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259442579.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259446198.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259447337.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259450083.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259442579.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259449256.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259451768.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259441456.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259444186.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259448726.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259450488.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259450488.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Ghiya.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\902dfdc18da500c313fe36c85f26b3dc72c9e87cb946cd8e97ec03549b656f21.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\902dfdc18da500c313fe36c85f26b3dc72c9e87cb946cd8e97ec03549b656f21.exe
"C:\Users\Admin\AppData\Local\Temp\902dfdc18da500c313fe36c85f26b3dc72c9e87cb946cd8e97ec03549b656f21.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259439225.txt",MainThread
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1444171860-16696047241320182628-582647501-7031432-191945456-399398094-1280571015"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1454293411282711835-1086068551-39670580-76329514-99155764955904779-407903891"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1037212218-612124518-2523167391914980373-1597169936-104213031915256448651481626800"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1902572334-1934078041-2113050012151777375-1281229922-61188037812733617082044179044"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1913521877-76449720923369701064825370962791329-1405808113-1465089419-727356341"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18261360512058139573-405197504-47174105210458428511244474678558188184965541347"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1855926302-2068448508899840108-20716765801049239208245251849488789953-956784220"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "77049883621058880814627362211906019665988582083-1397416575668364942114065079"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1668000561-4285783-15157718421680972432618402418-1931606643-2057271540-1739502130"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11030470271201476556-803005692-1994388505963231242-1024044018891367629-1907687447"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "339678054-454075692-1016049867322089312-1078846816-189390043-1979913675-1912726470"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-492721576-9345078701409622579-21362281042075013891513027585-18700509901510074239"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1061513211870688294-8688688651148117870-973389060-1128387358321832496-1753116442"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "796009150-330160888-1834092217-1259826349-4826158798976916771429987931-1886900099"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4296974712984529671921863876-130226785854690369-138467119813710684541159353421"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11306583231224428480-24857163561950702129618870-422897223682741062-1190018374"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "577629-589142382-9820839843026713681623075273-1505960344657774374-1242955802"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1688393200-1649202150103061563668248825012433468402672539591246125989-719028316"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "325701286155115973114802020012065682779-1839785833895529927747506405712651809"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1407208164-1888204202-1431654977886543969366021901-189607238810141983651991290059"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "198058714-834696316-1475777023-1444329138-1375806829-1268661698-1890293813-820546193"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "824090540-402742714-8248274711360629118-21069063441507478266-1456206378-1923853265"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-477371379387704255-537206638-149483629-3816663-1975302762-18858206391426783534"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-75867710-13071211877386161241287956023-64628407-607045206441126711-1834324411"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "177447203015309906354560803-214640663-192595960-1280947033-5242540211739339574"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1888233453190527932411290358-269149603-1271655879655987432610385448467207818"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "940783642101572097112777688288973492180913816315809685652109362466-1801400144"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11699860421828131435-1839021432-33524913257269448-896701669-1211278344-1125645886"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "966188119-252324885425184252-10254486751278638558-1462934666-17912702831865492841"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1165164755484033089-1317600486-18244395991067767501-1473019685-2001247444136858333"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1380333329-937212202-1489954986-1920538321641882001951241131549308461373432726"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-900881114149508904318604463920729787511959115329206747885-13238205421141047636"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| CN | 43.249.193.73:54997 | tcp | |
| CN | 43.249.193.73:54997 | tcp | |
| CN | 43.249.193.73:54997 | tcp | |
| CN | 43.249.193.73:54997 | tcp | |
| CN | 43.249.193.73:54997 | tcp | |
| CN | 43.249.193.73:54997 | tcp | |
| CN | 43.249.193.73:54997 | tcp | |
| CN | 43.249.193.73:54997 | tcp |
Files
memory/1704-0-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1704-1-0x0000000000400000-0x0000000000760000-memory.dmp
\Users\Admin\AppData\Local\Temp\AK47.exe
| MD5 | 423eb994ed553294f8a6813619b8da87 |
| SHA1 | eca6a16ccd13adcfc27bc1041ddef97ec8081255 |
| SHA256 | 050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218 |
| SHA512 | fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095 |
\Windows\SysWOW64\259439225.txt
| MD5 | 35119942dd353238c5480564f18e6d64 |
| SHA1 | bf3b9868f2cac8c5ff4df14218ffe59bffe7f4e7 |
| SHA256 | 3378201ebbf5a34a4dca097c9bc41643399c2d47891347a20716b38fd774da7f |
| SHA512 | 13f5f889eb5238f961983eb9eec1744687093a6a3ac655fd293a740f291e0ba50092c4553d3259525d95a57d96e6b4246a06972a2d26368c7c3e456337eac731 |
\Users\Admin\AppData\Local\Temp\AK74.exe
| MD5 | b0998aa7d5071d33daa5b60b9c3c9735 |
| SHA1 | 9365a1ff0c6de244d6f36c8d84072cc916665d3c |
| SHA256 | 3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a |
| SHA512 | 308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850 |
memory/2712-26-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/2712-29-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/2712-28-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/2620-47-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/2620-41-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/2620-48-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/2620-51-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/2620-49-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/2620-54-0x0000000010000000-0x00000000101BA000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 659e05e1439a1b28f061819e61ec38c7 |
| SHA1 | ccd2e4ae04f15fe9978f1211956dba5be008a1d6 |
| SHA256 | 54b0b59254d97a37466fe2eecb88271d2ede80a7f6078959e6eb9e0ce55ffc11 |
| SHA512 | 45c58b819fe0f5940835076d186cbf5a62fdbbd42bb850d9158c330dc039cf71804e7c0b31ca0caa16d8ca3e1f55e7dc2ff33aed2c70f0fbd4a598891b7a623a |
memory/1704-64-0x00000000021D0000-0x00000000021E0000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 87b944607717d239624133f7bfba59f2 |
| SHA1 | ff24e1928bc3aaab33bb802ccfe4a7f2e9561698 |
| SHA256 | c9d0c18a9f333306d0bdcabcbbf47e30169e0dd92315c929d325c1a75cefa2e7 |
| SHA512 | 1e959117a1f980caaf103a4abd5632fe9f3d9f099b7b6a95653dfc91d0be147b66db114cd457123ed75ec1423049019a8f75736b52ee82b18e974a0a6b445e95 |
memory/2796-70-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2696-69-0x0000000005E90000-0x00000000061F0000-memory.dmp
memory/2796-110-0x0000000000400000-0x0000000000760000-memory.dmp
C:\Windows\SysWOW64\ini.ini
| MD5 | c63e8e75e70189df5c0435b83e5527fe |
| SHA1 | 5a155db21c97e4c08d35450b373e52a15250ecde |
| SHA256 | d94005e331390aa20eba769e0b70c176e0578f501e87ab69bb065cc2e244bad3 |
| SHA512 | 5d20bb1bb4a34178f26f6ead907db255cc39ebd6e5129cb92c43a3a7cfd7b1829bbaeeb08f47b162eec54211a16933f50aa83fe9a8e933d8cdf8ec4838695633 |
memory/1884-114-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1884-155-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2072-198-0x0000000000400000-0x0000000000760000-memory.dmp
memory/856-228-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1448-256-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2640-284-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1632-290-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1704-289-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1632-318-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2408-346-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2696-347-0x0000000005E90000-0x00000000061F0000-memory.dmp
memory/2444-374-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2760-406-0x0000000000400000-0x0000000000760000-memory.dmp
memory/324-432-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1012-464-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2660-490-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2384-495-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2384-523-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2132-554-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2092-589-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2900-590-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2900-622-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1572-623-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1572-651-0x0000000000400000-0x0000000000760000-memory.dmp
memory/936-679-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2328-711-0x0000000000400000-0x0000000000760000-memory.dmp
memory/776-735-0x0000000000400000-0x0000000000760000-memory.dmp
memory/404-738-0x0000000000400000-0x0000000000760000-memory.dmp
memory/404-762-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1572-782-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2680-787-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2680-811-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2448-831-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1436-836-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1436-856-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1752-880-0x0000000000400000-0x0000000000760000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
| MD5 | 29ce53e2a4a446614ccc8d64d346bde4 |
| SHA1 | 39a7aa5cc1124842aa0c25abb16ea94452125cbe |
| SHA256 | 56225be6838bc6e93ea215891eacf28844ae27a9f8b2b29bf19d3a8c2b1f58df |
| SHA512 | b2c5a2708c427171a5715801f8ea733ffe88d73aaaaf59c5c752ea32cbe7aae8526cc26eabe84ad5043174c0c69b1d6b15a9fb125c15accfac3462d5d08a0faa |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-07 19:39
Reported
2024-11-07 19:41
Platform
win10v2004-20241007-en
Max time kernel
78s
Max time network
145s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
PurpleFox
Purplefox family
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\QAssist.sys | C:\Windows\SysWOW64\Ghiya.exe | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240621359.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240627687.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240627703.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240628781.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240633187.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240630109.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240630968.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240632312.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240633859.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240622906.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240624843.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240625531.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240626468.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240628765.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240632328.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" | C:\Windows\SysWOW64\Ghiya.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\902dfdc18da500c313fe36c85f26b3dc72c9e87cb946cd8e97ec03549b656f21.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk | C:\Users\Admin\AppData\Local\Temp\902dfdc18da500c313fe36c85f26b3dc72c9e87cb946cd8e97ec03549b656f21.exe | N/A |
Executes dropped EXE
Loads dropped DLL
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" | C:\Users\Admin\AppData\Local\Temp\902dfdc18da500c313fe36c85f26b3dc72c9e87cb946cd8e97ec03549b656f21.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\240633187.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ghiya.exe | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| File created | C:\Windows\SysWOW64\240633859.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240622890.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240624843.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240627687.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240630968.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240632328.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240624843.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240625531.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240632312.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240633187.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghiya.exe | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240628781.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240621359.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240626468.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240626468.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240627703.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240622906.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\240625531.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240630109.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240630968.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240633859.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240621359.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240628765.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240630109.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\AK47.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\902dfdc18da500c313fe36c85f26b3dc72c9e87cb946cd8e97ec03549b656f21.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Ghiya.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\902dfdc18da500c313fe36c85f26b3dc72c9e87cb946cd8e97ec03549b656f21.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\902dfdc18da500c313fe36c85f26b3dc72c9e87cb946cd8e97ec03549b656f21.exe
"C:\Users\Admin\AppData\Local\Temp\902dfdc18da500c313fe36c85f26b3dc72c9e87cb946cd8e97ec03549b656f21.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4808 -ip 4808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 432
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240621359.txt",MainThread
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| CN | 43.249.193.73:54997 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| CN | 43.249.193.73:54997 | tcp | |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| CN | 43.249.193.73:54997 | tcp | |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| CN | 43.249.193.73:54997 | tcp | |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| CN | 43.249.193.73:54997 | tcp | |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| CN | 43.249.193.73:54997 | tcp | |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| CN | 43.249.193.73:54997 | tcp | |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
Files
memory/1608-0-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1608-1-0x0000000000400000-0x0000000000760000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AK47.exe
| MD5 | 423eb994ed553294f8a6813619b8da87 |
| SHA1 | eca6a16ccd13adcfc27bc1041ddef97ec8081255 |
| SHA256 | 050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218 |
| SHA512 | fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095 |
C:\Windows\SysWOW64\240621359.txt
| MD5 | 35119942dd353238c5480564f18e6d64 |
| SHA1 | bf3b9868f2cac8c5ff4df14218ffe59bffe7f4e7 |
| SHA256 | 3378201ebbf5a34a4dca097c9bc41643399c2d47891347a20716b38fd774da7f |
| SHA512 | 13f5f889eb5238f961983eb9eec1744687093a6a3ac655fd293a740f291e0ba50092c4553d3259525d95a57d96e6b4246a06972a2d26368c7c3e456337eac731 |
C:\Users\Admin\AppData\Local\Temp\AK74.exe
| MD5 | b0998aa7d5071d33daa5b60b9c3c9735 |
| SHA1 | 9365a1ff0c6de244d6f36c8d84072cc916665d3c |
| SHA256 | 3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a |
| SHA512 | 308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850 |
memory/2056-30-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/2056-31-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/2056-28-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/3400-39-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/3400-38-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/3400-36-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/3540-48-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/3540-49-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/3540-47-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/3540-45-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/3540-53-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/3540-54-0x0000000010000000-0x00000000101BA000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | dd8b96cf5ba642a7f46ddbbe9e3c8032 |
| SHA1 | f5824868e212c973650aedf8649c73af99fa9e82 |
| SHA256 | 7f0b7b329c8fd12c72f9e51fbdc066f2e73ad34ca8adee9eec1a97ef1ce11ece |
| SHA512 | ea4169ccd363fc8787fe3e1655eaf9112f8c7edf2b074a0c0e87b53c4b9bf25d742bf104728c239ab2c536fe793682a2561cd169516138f63f80c81cccabcb9d |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 94e98dba5fc47b66e069fd1cad6327f0 |
| SHA1 | 534520c3226beae1dad8893efee83f7696846cf7 |
| SHA256 | 90acc568fb100c72e3c82b34d022d62a3b872aa3fdd5ae90619a25b668b2bde9 |
| SHA512 | 93c4b2e2c8d1cfa7332778361bbd308e348118dbb30ad8700e001ad37e57c5828aa051071974c5b619568236848ae8447b8075c0490704eadafc2d0478274462 |
C:\Windows\SysWOW64\ini.ini
| MD5 | c63e8e75e70189df5c0435b83e5527fe |
| SHA1 | 5a155db21c97e4c08d35450b373e52a15250ecde |
| SHA256 | d94005e331390aa20eba769e0b70c176e0578f501e87ab69bb065cc2e244bad3 |
| SHA512 | 5d20bb1bb4a34178f26f6ead907db255cc39ebd6e5129cb92c43a3a7cfd7b1829bbaeeb08f47b162eec54211a16933f50aa83fe9a8e933d8cdf8ec4838695633 |
memory/908-105-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1668-148-0x0000000000400000-0x0000000000760000-memory.dmp
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 889b99c52a60dd49227c5e485a016679 |
| SHA1 | 8fa889e456aa646a4d0a4349977430ce5fa5e2d7 |
| SHA256 | 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910 |
| SHA512 | 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641 |
memory/4560-195-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1168-197-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1168-237-0x0000000000400000-0x0000000000760000-memory.dmp
memory/872-279-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2484-281-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1608-280-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2484-316-0x0000000000400000-0x0000000000760000-memory.dmp
memory/776-347-0x0000000000400000-0x0000000000760000-memory.dmp
memory/4424-379-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1280-414-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1424-445-0x0000000000400000-0x0000000000760000-memory.dmp
memory/3764-476-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2412-503-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2180-504-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2180-531-0x0000000000400000-0x0000000000760000-memory.dmp
memory/3212-558-0x0000000000400000-0x0000000000760000-memory.dmp
memory/3716-585-0x0000000000400000-0x0000000000760000-memory.dmp
memory/5040-612-0x0000000000400000-0x0000000000760000-memory.dmp
memory/5028-639-0x0000000000400000-0x0000000000760000-memory.dmp
memory/976-662-0x0000000000400000-0x0000000000760000-memory.dmp
memory/3628-694-0x0000000000400000-0x0000000000760000-memory.dmp
memory/4432-721-0x0000000000400000-0x0000000000760000-memory.dmp
memory/3604-749-0x0000000000400000-0x0000000000760000-memory.dmp
memory/4208-775-0x0000000000400000-0x0000000000760000-memory.dmp
memory/4648-802-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2700-825-0x0000000000400000-0x0000000000760000-memory.dmp
memory/112-856-0x0000000000400000-0x0000000000760000-memory.dmp
memory/3652-883-0x0000000000400000-0x0000000000760000-memory.dmp
memory/3512-911-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1172-933-0x0000000000400000-0x0000000000760000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
| MD5 | 29ce53e2a4a446614ccc8d64d346bde4 |
| SHA1 | 39a7aa5cc1124842aa0c25abb16ea94452125cbe |
| SHA256 | 56225be6838bc6e93ea215891eacf28844ae27a9f8b2b29bf19d3a8c2b1f58df |
| SHA512 | b2c5a2708c427171a5715801f8ea733ffe88d73aaaaf59c5c752ea32cbe7aae8526cc26eabe84ad5043174c0c69b1d6b15a9fb125c15accfac3462d5d08a0faa |