gh0strat | 149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e

Analysis

max time kernel
78s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe
Size

1.2MB
MD5

8a3bf8d39fb3a77e04b063a605e634ed
SHA1

8864871566738f7af26919fb4ec1c8490e0a3dd8
SHA256

149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e
SHA512

97535cd2ebf79a402aa6e4db57bd15542059845821291c019c48fe0b943eeced7241940986ab5bc1d5f52877fc7880d87c7496dc93bfa4774358ce72cf316bf9
SSDEEP

24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJtiL:WIwgMEuy+inDfp3/XoCw57XYBwKL

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx vmprotect

Malware Config

Signatures

Detect PurpleFox Rootkit 7 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/832-29-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/832-28-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/2880-47-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/2880-48-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/2880-49-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/2880-53-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/2880-54-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 8 IoCs

resource	yara_rule
behavioral1/files/0x000f00000001866e-14.dat	family_gh0strat
behavioral1/memory/832-29-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/832-28-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/2880-47-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/2880-48-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/2880-49-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/2880-53-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/2880-54-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	Ghiya.exe

Server Software Component: Terminal Services DLL 1 TTPs 23 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259456884.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259447758.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259449287.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259451034.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259451612.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259452766.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259452797.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259453312.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259457930.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259448195.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259453858.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259454404.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259458944.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259446198.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259450473.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259451019.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259452142.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259455605.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259456338.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259457914.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259448757.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259452158.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259455012.txt"	AK47.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	Ghiya.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe

Executes dropped EXE 64 IoCs

pid	Process
2348	AK47.exe
1796	AK47.exe
832	AK74.exe
2928	Ghiya.exe
2880	Ghiya.exe
1612	svchcst.exe
1192	AK47.exe
1272	AK47.exe
2952	AK74.exe
2296	Ghiya.exe
1556	Ghiya.exe
688	svchcst.exe
664	AK47.exe
568	AK47.exe
316	AK74.exe
3016	Ghiya.exe
1040	Ghiya.exe
1536	svchcst.exe
1924	AK47.exe
2372	AK47.exe
868	AK74.exe
1584	Ghiya.exe
2528	Ghiya.exe
2920	svchcst.exe
2872	AK47.exe
2780	AK47.exe
2732	svchcst.exe
2496	AK47.exe
1404	AK47.exe
2796	AK74.exe
2464	Ghiya.exe
2940	Ghiya.exe
2852	svchcst.exe
2188	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
2296	AK47.exe
944	AK47.exe
2660	AK74.exe
844	Ghiya.exe
2480	Ghiya.exe
1520	svchcst.exe
1624	AK47.exe
2384	AK47.exe
2216	AK74.exe
1444	Ghiya.exe
1752	Ghiya.exe
2084	svchcst.exe
2948	AK47.exe
2396	AK47.exe
2428	AK74.exe
328	Ghiya.exe
2408	Ghiya.exe
2896	svchcst.exe
1788	AK47.exe
1672	AK47.exe
1960	AK74.exe
1948	Ghiya.exe
2680	Ghiya.exe
1868	svchcst.exe
2864	AK47.exe
1704	AK47.exe
1324	AK74.exe
2832	Ghiya.exe
2584	Ghiya.exe
1816	svchcst.exe

Loads dropped DLL 64 IoCs

pid	Process
2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe
2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe
1796	AK47.exe
2152	svchost.exe
2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe
2928	Ghiya.exe
2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe
2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe
2020	WScript.exe
1612	svchcst.exe
1612	svchcst.exe
1192	AK47.exe
1612	svchcst.exe
2296	Ghiya.exe
688	svchcst.exe
688	svchcst.exe
664	AK47.exe
688	svchcst.exe
3016	Ghiya.exe
1536	svchcst.exe
1536	svchcst.exe
1924	AK47.exe
1536	svchcst.exe
1584	Ghiya.exe
2920	svchcst.exe
2920	svchcst.exe
2872	AK47.exe
2732	svchcst.exe
2732	svchcst.exe
2496	AK47.exe
2732	svchcst.exe
2464	Ghiya.exe
2152	svchost.exe
2188	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
2852	svchcst.exe
2852	svchcst.exe
944	AK47.exe
2296	AK47.exe
2852	svchcst.exe
844	Ghiya.exe
1520	svchcst.exe
1520	svchcst.exe
1624	AK47.exe
2384	AK47.exe
1520	svchcst.exe
1444	Ghiya.exe
2084	svchcst.exe
2084	svchcst.exe
2948	AK47.exe
2084	svchcst.exe
328	Ghiya.exe
2896	svchcst.exe
2896	svchcst.exe
1788	AK47.exe
1672	AK47.exe
2896	svchcst.exe
1948	Ghiya.exe
1868	svchcst.exe
1868	svchcst.exe
2864	AK47.exe
1704	AK47.exe
1868	svchcst.exe
2832	Ghiya.exe
1816	svchcst.exe

VMProtect packed file 38 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2096-0-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2096-1-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/files/0x000900000001903b-61.dat	vmprotect
behavioral1/memory/1612-72-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1612-113-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/688-155-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1536-193-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2920-213-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2732-214-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2732-236-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2852-272-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1520-274-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2096-273-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1520-305-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2084-329-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2896-334-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2896-364-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1868-394-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1816-397-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1816-425-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2672-455-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2440-483-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2176-509-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2660-541-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/896-570-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2652-598-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1344-626-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2916-631-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2916-659-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1156-679-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/896-707-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2860-729-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2932-757-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1508-777-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1868-804-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1568-824-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1908-829-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1908-853-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\259456338.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259448757.txt	AK47.exe
File created	C:\Windows\SysWOW64\259449287.txt	AK47.exe
File created	C:\Windows\SysWOW64\259449896.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259457930.txt	AK47.exe
File created	C:\Windows\SysWOW64\259458944.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259452766.txt	AK47.exe
File created	C:\Windows\SysWOW64\259453858.txt	AK47.exe
File created	C:\Windows\SysWOW64\259456338.txt	AK47.exe
File created	C:\Windows\SysWOW64\259451019.txt	AK47.exe
File created	C:\Windows\SysWOW64\259451034.txt	AK47.exe
File created	C:\Windows\SysWOW64\259455605.txt	AK47.exe
File created	C:\Windows\SysWOW64\259458944.txt	AK47.exe
File created	C:\Windows\SysWOW64\259446198.txt	AK47.exe
File created	C:\Windows\SysWOW64\259448757.txt	AK47.exe
File created	C:\Windows\SysWOW64\259449896.txt	AK47.exe
File created	C:\Windows\SysWOW64\259451612.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259454404.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259452797.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259455012.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259448195.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259454404.txt	AK47.exe
File created	C:\Windows\SysWOW64\259455012.txt	AK47.exe
File created	C:\Windows\SysWOW64\259448195.txt	AK47.exe
File created	C:\Windows\SysWOW64\259453889.txt	AK47.exe
File created	C:\Windows\SysWOW64\259457914.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259452158.txt	AK47.exe
File created	C:\Windows\SysWOW64\259453328.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\Ghiya.exe	AK74.exe
File opened for modification	C:\Windows\SysWOW64\Ghiya.exe	AK74.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259451612.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File created	C:\Windows\SysWOW64\259452142.txt	AK47.exe
File created	C:\Windows\SysWOW64\259450473.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259455605.txt	AK47.exe
File created	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259447758.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259450457.txt	AK47.exe
File created	C:\Windows\SysWOW64\259453312.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\259456884.txt	AK47.exe
File created	C:\Windows\SysWOW64\259456884.txt	AK47.exe
File created	C:\Windows\SysWOW64\259446198.txt	AK47.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/832-26-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/832-29-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/832-28-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2880-41-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2880-47-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2880-48-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2880-49-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2880-53-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2880-54-0x0000000010000000-0x00000000101BA000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
332	cmd.exe
2824	cmd.exe
2496	cmd.exe
2816	PING.EXE
2396	PING.EXE
1344	PING.EXE
2692	PING.EXE
580	Process not Found
2932	PING.EXE
1492	Process not Found
2476	PING.EXE
1156	PING.EXE
2600	cmd.exe
2196	Process not Found
2912	cmd.exe
376	Process not Found
1572	Process not Found
792	PING.EXE
3064	cmd.exe
2408	Process not Found
2624	PING.EXE
2200	cmd.exe
1568	PING.EXE
2708	PING.EXE
2712	Process not Found
2960	Process not Found
2312	Process not Found
1960	cmd.exe
1760	Process not Found
1628	Process not Found
2968	Process not Found
2960	PING.EXE
3052	cmd.exe
2336	Process not Found
2848	cmd.exe
2912	PING.EXE
792	cmd.exe
2812	Process not Found
2524	cmd.exe
2764	PING.EXE
2980	Process not Found
1592	Process not Found
1004	Process not Found
824	Process not Found
1604	cmd.exe
1972	Process not Found
1624	Process not Found
2888	Process not Found
2216	PING.EXE
1648	Process not Found
2800	cmd.exe
2656	Process not Found
996	PING.EXE
2720	PING.EXE
2140	PING.EXE
3008	cmd.exe
1584	PING.EXE
1492	PING.EXE
2520	PING.EXE
1032	PING.EXE
2216	PING.EXE
1476	Process not Found
2716	Process not Found
2524	cmd.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
2936	PING.EXE
2932	PING.EXE
1572	Process not Found
544	Process not Found
2500	Process not Found
2420	Process not Found
2912	PING.EXE
1156	PING.EXE
2960	PING.EXE
1088	PING.EXE
1308	Process not Found
2724	PING.EXE
2216	PING.EXE
924	Process not Found
2348	PING.EXE
1628	PING.EXE
2332	Process not Found
1132	PING.EXE
2032	Process not Found
1576	Process not Found
1376	Process not Found
1272	PING.EXE
2548	PING.EXE
376	PING.EXE
2656	PING.EXE
1052	PING.EXE
2396	PING.EXE
2196	PING.EXE
1752	Process not Found
1036	PING.EXE
2216	Process not Found
1816	PING.EXE
1520	PING.EXE
1724	PING.EXE
2444	Process not Found
1000	Process not Found
2560	PING.EXE
2064	PING.EXE
1436	PING.EXE
2692	PING.EXE
2924	PING.EXE
2520	PING.EXE
2932	Process not Found
1492	PING.EXE
1592	Process not Found
2208	PING.EXE
2756	PING.EXE
1368	PING.EXE
2648	PING.EXE
2408	PING.EXE
1996	Process not Found
896	Process not Found
628	PING.EXE
2408	Process not Found
1624	Process not Found
996	PING.EXE
2032	Process not Found
3052	PING.EXE
2976	PING.EXE
1772	PING.EXE
2336	PING.EXE
2816	PING.EXE
2376	Process not Found
756	Process not Found

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe
2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe
2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe
2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2020	WScript.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2880	Ghiya.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	832	AK74.exe
Token: SeLoadDriverPrivilege	2880	Ghiya.exe
Token: SeIncBasePriorityPrivilege	2952	AK74.exe
Token: SeIncBasePriorityPrivilege	316	AK74.exe
Token: SeIncBasePriorityPrivilege	868	AK74.exe
Token: SeIncBasePriorityPrivilege	2796	AK74.exe
Token: SeIncBasePriorityPrivilege	2660	AK74.exe
Token: SeIncBasePriorityPrivilege	2216	AK74.exe
Token: SeIncBasePriorityPrivilege	2428	AK74.exe
Token: SeIncBasePriorityPrivilege	1960	AK74.exe
Token: SeIncBasePriorityPrivilege	1324	AK74.exe
Token: SeIncBasePriorityPrivilege	2332	AK74.exe
Token: SeIncBasePriorityPrivilege	1696	AK74.exe
Token: SeIncBasePriorityPrivilege	1928	AK74.exe
Token: SeIncBasePriorityPrivilege	944	AK74.exe
Token: SeIncBasePriorityPrivilege	1332	AK74.exe
Token: SeIncBasePriorityPrivilege	2112	AK74.exe
Token: SeIncBasePriorityPrivilege	2900	AK74.exe
Token: SeIncBasePriorityPrivilege	2008	AK74.exe
Token: SeIncBasePriorityPrivilege	2896	AK74.exe
Token: SeIncBasePriorityPrivilege	2684	AK74.exe
Token: SeIncBasePriorityPrivilege	468	AK74.exe
Token: SeIncBasePriorityPrivilege	3044	AK74.exe
Token: SeIncBasePriorityPrivilege	1132	AK74.exe
Token: SeIncBasePriorityPrivilege	1624	AK74.exe
Token: SeIncBasePriorityPrivilege	1032	AK74.exe
Token: SeIncBasePriorityPrivilege	2168	AK74.exe
Token: SeIncBasePriorityPrivilege	2724	AK74.exe
Token: SeIncBasePriorityPrivilege	1520	AK74.exe
Token: SeIncBasePriorityPrivilege	2132	AK74.exe
Token: SeIncBasePriorityPrivilege	2184	AK74.exe
Token: SeIncBasePriorityPrivilege	1516	AK74.exe
Token: SeIncBasePriorityPrivilege	568	AK74.exe
Token: SeIncBasePriorityPrivilege	2428	AK74.exe
Token: SeIncBasePriorityPrivilege	828	AK74.exe
Token: SeIncBasePriorityPrivilege	2704	AK74.exe
Token: SeIncBasePriorityPrivilege	2740	AK74.exe
Token: SeIncBasePriorityPrivilege	1732	AK74.exe
Token: SeIncBasePriorityPrivilege	2372	AK74.exe
Token: SeIncBasePriorityPrivilege	1776	AK74.exe
Token: SeIncBasePriorityPrivilege	2704	AK74.exe
Token: SeIncBasePriorityPrivilege	2584	AK74.exe
Token: SeIncBasePriorityPrivilege	2764	AK74.exe
Token: SeIncBasePriorityPrivilege	688	AK74.exe
Token: SeIncBasePriorityPrivilege	1776	AK74.exe
Token: SeIncBasePriorityPrivilege	2192	AK74.exe
Token: SeIncBasePriorityPrivilege	1772	AK74.exe
Token: SeIncBasePriorityPrivilege	2348	AK74.exe
Token: SeIncBasePriorityPrivilege	1940	AK74.exe
Token: SeIncBasePriorityPrivilege	2040	AK74.exe
Token: SeIncBasePriorityPrivilege	2192	AK74.exe
Token: SeIncBasePriorityPrivilege	2244	AK74.exe
Token: SeIncBasePriorityPrivilege	2348	AK74.exe
Token: SeIncBasePriorityPrivilege	2472	AK74.exe
Token: SeIncBasePriorityPrivilege	2468	AK74.exe
Token: SeIncBasePriorityPrivilege	2132	AK74.exe
Token: SeIncBasePriorityPrivilege	2692	AK74.exe
Token: SeIncBasePriorityPrivilege	1132	AK74.exe
Token: SeIncBasePriorityPrivilege	2640	AK74.exe
Token: SeIncBasePriorityPrivilege	2940	AK74.exe
Token: SeIncBasePriorityPrivilege	3000	AK74.exe
Token: SeIncBasePriorityPrivilege	2328	AK74.exe
Token: SeIncBasePriorityPrivilege	1764	AK74.exe
Token: SeIncBasePriorityPrivilege	1952	AK74.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe
2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe
1612	svchcst.exe
1612	svchcst.exe
688	svchcst.exe
688	svchcst.exe
1536	svchcst.exe
1536	svchcst.exe
2920	svchcst.exe
2920	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
1520	svchcst.exe
1520	svchcst.exe
2084	svchcst.exe
2084	svchcst.exe
2896	svchcst.exe
2896	svchcst.exe
1868	svchcst.exe
1868	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
896	svchcst.exe
896	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
1344	svchcst.exe
1344	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
896	svchcst.exe
896	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2932	svchcst.exe
2932	svchcst.exe
1508	svchcst.exe
1508	svchcst.exe
1868	svchcst.exe
1868	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1908	svchcst.exe
1908	svchcst.exe
1344	svchcst.exe
1344	svchcst.exe
1064	svchcst.exe
1064	svchcst.exe
1580	svchcst.exe
1580	svchcst.exe
2064	svchcst.exe
2064	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2348	2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe	31
PID 2096 wrote to memory of 2348	2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe	31
PID 2096 wrote to memory of 2348	2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe	31
PID 2096 wrote to memory of 2348	2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe	31
PID 2096 wrote to memory of 1796	2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe	32
PID 2096 wrote to memory of 1796	2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe	32
PID 2096 wrote to memory of 1796	2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe	32
PID 2096 wrote to memory of 1796	2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe	32
PID 2096 wrote to memory of 832	2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe	35
PID 2096 wrote to memory of 832	2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe	35
PID 2096 wrote to memory of 832	2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe	35
PID 2096 wrote to memory of 832	2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe	35
PID 2096 wrote to memory of 832	2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe	35
PID 2096 wrote to memory of 832	2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe	35
PID 2096 wrote to memory of 832	2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe	35
PID 832 wrote to memory of 2800	832	AK74.exe	37
PID 832 wrote to memory of 2800	832	AK74.exe	37
PID 832 wrote to memory of 2800	832	AK74.exe	37
PID 832 wrote to memory of 2800	832	AK74.exe	37
PID 2928 wrote to memory of 2880	2928	Ghiya.exe	38
PID 2928 wrote to memory of 2880	2928	Ghiya.exe	38
PID 2928 wrote to memory of 2880	2928	Ghiya.exe	38
PID 2928 wrote to memory of 2880	2928	Ghiya.exe	38
PID 2928 wrote to memory of 2880	2928	Ghiya.exe	38
PID 2928 wrote to memory of 2880	2928	Ghiya.exe	38
PID 2928 wrote to memory of 2880	2928	Ghiya.exe	38
PID 2800 wrote to memory of 2648	2800	cmd.exe	40
PID 2800 wrote to memory of 2648	2800	cmd.exe	40
PID 2800 wrote to memory of 2648	2800	cmd.exe	40
PID 2800 wrote to memory of 2648	2800	cmd.exe	40
PID 2096 wrote to memory of 2020	2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe	41
PID 2096 wrote to memory of 2020	2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe	41
PID 2096 wrote to memory of 2020	2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe	41
PID 2096 wrote to memory of 2020	2096	149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe	41
PID 2020 wrote to memory of 1612	2020	WScript.exe	43
PID 2020 wrote to memory of 1612	2020	WScript.exe	43
PID 2020 wrote to memory of 1612	2020	WScript.exe	43
PID 2020 wrote to memory of 1612	2020	WScript.exe	43
PID 1612 wrote to memory of 1192	1612	svchcst.exe	44
PID 1612 wrote to memory of 1192	1612	svchcst.exe	44
PID 1612 wrote to memory of 1192	1612	svchcst.exe	44
PID 1612 wrote to memory of 1192	1612	svchcst.exe	44
PID 1612 wrote to memory of 1272	1612	svchcst.exe	45
PID 1612 wrote to memory of 1272	1612	svchcst.exe	45
PID 1612 wrote to memory of 1272	1612	svchcst.exe	45
PID 1612 wrote to memory of 1272	1612	svchcst.exe	45
PID 1612 wrote to memory of 2952	1612	svchcst.exe	46
PID 1612 wrote to memory of 2952	1612	svchcst.exe	46
PID 1612 wrote to memory of 2952	1612	svchcst.exe	46
PID 1612 wrote to memory of 2952	1612	svchcst.exe	46
PID 1612 wrote to memory of 2952	1612	svchcst.exe	46
PID 1612 wrote to memory of 2952	1612	svchcst.exe	46
PID 1612 wrote to memory of 2952	1612	svchcst.exe	46
PID 2952 wrote to memory of 2244	2952	AK74.exe	48
PID 2952 wrote to memory of 2244	2952	AK74.exe	48
PID 2952 wrote to memory of 2244	2952	AK74.exe	48
PID 2952 wrote to memory of 2244	2952	AK74.exe	48
PID 2296 wrote to memory of 1556	2296	Ghiya.exe	50
PID 2296 wrote to memory of 1556	2296	Ghiya.exe	50
PID 2296 wrote to memory of 1556	2296	Ghiya.exe	50
PID 2296 wrote to memory of 1556	2296	Ghiya.exe	50
PID 2296 wrote to memory of 1556	2296	Ghiya.exe	50
PID 2296 wrote to memory of 1556	2296	Ghiya.exe	50
PID 2296 wrote to memory of 1556	2296	Ghiya.exe	50

C:\Users\Admin\AppData\Local\Temp\149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe
"C:\Users\Admin\AppData\Local\Temp\149c868f0842c6f7a79c95007f99d5fc46f29b5dd40629fa43f0be389a54e55e.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\AK47.exe
  "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2348
- C:\Users\Admin\AppData\Local\Temp\AK47.exe
  C:\Users\Admin\AppData\Local\Temp\\AK47.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1796
- C:\Users\Admin\AppData\Local\Temp\AK74.exe
  C:\Users\Admin\AppData\Local\Temp\\AK74.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      PID:2648
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:1192
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      PID:1272
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2244
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:328
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:688
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:664
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:568
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:316
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2512
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1368
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:352
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2724
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2920
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      PID:2872
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:2780
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:1404
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2984
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2228
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:944
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2660
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1592
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:664
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1000
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2368
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2084
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:2948
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:2396
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2428
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2912
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2924
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:1672
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2960
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1272
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1324
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:760
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1728
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Drops file in System32 directory
      PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Drops file in System32 directory
      PID:1332
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2536
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3052
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Drops file in System32 directory
      PID:2300
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Drops file in System32 directory
      PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1576
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Drops file in System32 directory
      PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1928
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2708
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:332
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Drops file in System32 directory
      PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Drops file in System32 directory
      PID:1632
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2736
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1868
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Drops file in System32 directory
      PID:1340
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Drops file in System32 directory
      PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2720
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1664
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:896
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Drops file in System32 directory
      PID:1828
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:580
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1908
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Drops file in System32 directory
      PID:2204
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Drops file in System32 directory
      PID:2380
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2900
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2040
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2956
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Drops file in System32 directory
      PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Drops file in System32 directory
      PID:1124
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2892
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2064
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Drops file in System32 directory
      PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Drops file in System32 directory
      PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1088
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1436
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1308
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1796
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2348
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:896
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:664
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:468
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2624
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2304
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2068
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2848
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:604
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1132
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1628
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2140
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1652
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:840
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:352
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2216
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1032
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1372
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1976
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:896
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2168
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2652
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:3052
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1908
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2940
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2912
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1132
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1124
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2076
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2132
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1308
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1156
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:628
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1032
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2184
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1536
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2648
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2064
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1516
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2920
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1816
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:568
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2624
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1004
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2428
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2260
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1492
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2788
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2396
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:828
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1748
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:628
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2644
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2704
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1920
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1436
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2480
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2512
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:484
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1908
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2900
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2936
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2920
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2372
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2776
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2396
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1800
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:828
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:996
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2112
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:268
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2704
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:792
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2392
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1748
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2584
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1764
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2284
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2348
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2408
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1920
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:896
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:604
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2464
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1064
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:996
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2872
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1576
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2960
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2192
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2012
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1748
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1360
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2208
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:888
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2084
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2348
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2524
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1344
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2296
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2548
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2228
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2040
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:468
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1704
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2052
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2192
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2740
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2960
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1828
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:484
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2244
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2720
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2084
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2108
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:292
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2348
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1284
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2560
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2472
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2788
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2476
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2280
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2468
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2736
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1580
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1308
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:832
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:840
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2132
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1744
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2184
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1672
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1248
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2740
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3044
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1132
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1948
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:376
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:896
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2496
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:792
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:992
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1036
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1272
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1040
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:832
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:628
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3068
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2552
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2408
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1780
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2328
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3064
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:844
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:580
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2380
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:544
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2396
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:376
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:768
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2280
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:928
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2912
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2476
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:484
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1004
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2212
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1492
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2408
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1632
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1500
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2524
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2348
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2956
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:844
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1820
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:332
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:660
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1052
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:872
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1508
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:484
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2276
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2960
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1632
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1780
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:912
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1132
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1160
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2304
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3008
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1088
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1056
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2792
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1760
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1652
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2180
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1520
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1272
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:840
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2912
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2976
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:468
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2348
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1428
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:896
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2372
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2500
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2196
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2640
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2764
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1036
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:660
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2620
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1576
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1124
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2324
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2064
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2492
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1748
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2624
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2692
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1384
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2396
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1816
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2756
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1652
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2216
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1476
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:352
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:544
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:444
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2656
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1124
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:328
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2708
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1384
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2396
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1360
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2372
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3040
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2624
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:928
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2116
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2900
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2296
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:688
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1516
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1604
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:544
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2476
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3000
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1940
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:568
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:1772
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2464
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1444
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1084
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:2196
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2452
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:760
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:556
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:688
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:1036
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1568
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2600
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2216
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1284
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1428
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1324
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2524
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1932
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1796
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1852
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2332
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2280
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2920
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:872
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2348
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2200
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2572
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1052
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1384
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2928
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1828
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1688
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2896
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1568
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1704
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1612
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:3068
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2912
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2336
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:352
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1404
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:900
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2348
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:992
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1936
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1384
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1584
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:688
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1212
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2824
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2932
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2140
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:660
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2580
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2816
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1428
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2652
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:824
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1628
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:696
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1444
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:792
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1924
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1748
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2480
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1868
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2496
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1696
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1132
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2140
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2708
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2248
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1816
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2780
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2900
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3052
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1324
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1932
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2464
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2292
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2520
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:444
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:688
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2496
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1524
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:496
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1520
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1724
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1960
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1968
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1308
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1604
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2476
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:3016
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:828
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2336
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1032
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:568
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:444
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2176
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3004
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:664
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2112
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2532
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:920
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:996
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1052
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:544

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
PID:2064

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2152
- C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
  C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259446198.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2188

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2880

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:1556

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:1040

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:2528

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:2940

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:2480

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1444
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:1752

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:328
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:2408

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:2680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10446799749205368281739047507-679642279483452667-125997890015204112631257914468"
1⤵
PID:2732

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:2584

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1800
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3048

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:952
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3068

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1960
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2676

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1500
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1064

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2288
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2984

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1384
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1536

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2472
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2856

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2696
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2176

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2276
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1007067775-514822164-2088017531-501230548-10353517661815577398-5214114081147835716"
1⤵
PID:1332

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:2704
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "72238470-1727733038-176550762018289726-1132239514796410664365277402-162260794"
1⤵
PID:1828

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2312
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2204

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2336
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1632

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1988
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2428

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2656
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1324

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2200
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1036

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2452
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2496

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1860
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:992

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:572
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2032

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1272
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1794666778-42794222-1604363315772069441-658537954156115576213626706671523030793"
1⤵
PID:2684

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2500
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:792

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:496
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-723182940-24688757-1740570643-14030748092057053389143164853218126459811364885591"
1⤵
PID:3044

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:2180
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-924939208-1688492884144699731935516829699496916533647259114255837-73615138"
1⤵
PID:2176

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1924
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:840

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1272
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "302300666-23482742834690098828382923-534326170-66261604618257790281163371681"
1⤵
PID:1628

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2500
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1192

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:2844
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1772

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1500
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18810487991186519360-11766144001608900629744892294-1664350265-11684136641075480392"
1⤵
PID:1816

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2972
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2780

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3052
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1761958629-288856524-638482774-16314940883078480991551515091-9993285242070218712"
1⤵
PID:2276

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1584
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:832

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1788
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2216

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:1756
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1132

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2288
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2292

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2060
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-61457008810991164461699772743-21183219161400757938576391730-6435793081579321045"
1⤵
PID:1032

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1592
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "110488885319171893511744287722-1651086218179952694172505794930562247610912667"
1⤵
PID:2064

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:664
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "460332614-1917278057677694867-13649516901807827854-698476450797914344-1771897439"
1⤵
PID:2956

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2368
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1160

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2116
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2848

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:3052
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2736

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:908
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1744

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1780
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-666975900-354688625-423193794-1307514085-1009665982929329931431209645759476800"
1⤵
PID:1332

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:868
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:332

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2780
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2076

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3052
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2936

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1556
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1788

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2392
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9455221482084142711946333397103207411813132486281109656670782187651362492056"
1⤵
PID:1748

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1000
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1908

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2256
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1056

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2968
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2384

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:556
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "482315716-1033073726-85257450213835789511776803591-936697307-242849616-865124564"
1⤵
PID:2788

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2204
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1756

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2032
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2740

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1612
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1676

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3052
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1284

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2128
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1040

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2888
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2064

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2696
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-793735400-18878649291163980495-183702503013042454432090359931133572991-314246191"
1⤵
PID:768

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1612
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2872

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3052
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2320

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1592
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1707982716-171446708-5628442211056042252115000201-148772557916301122581475977132"
1⤵
PID:628

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:952
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2408

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1928
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:896

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1612
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2892

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2040
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:660

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1828
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1576

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2824
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2492

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:2032
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7063557193782126591141090914-4695237491672026079302277879473149781603529201"
1⤵
PID:2756

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2760
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1156

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2428
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1511445740-4235139481080514857-11568474897341033439810326412113601540650713052"
1⤵
PID:2792

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2456
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:556

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1756
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:316

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:292
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2524

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2760
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1464536032-1207429242-1600988270-3580483721972628123204212341821386250981601161624"
1⤵
PID:3064

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2320
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2049580182-1983266190-1636025555-421598711262134252136017668-4444797872041979404"
1⤵
PID:1308

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2924
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1708

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:660
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1976

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1676
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:468

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:696
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1372

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2572
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2112

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2420
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:484

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:840
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2224

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2084
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2332

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1748
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2348

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2736
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2708

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1996
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:628

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:2704
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1166882172-1635538597-1400766923-2076422455-386029255-1706484295441848355-2010942498"
1⤵
PID:2408

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:1624
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1920

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2972
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1764

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:568
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2012928609-723554963-454624396-641946279-328086282-19580925131106292389-2128558053"
1⤵
PID:2696

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:2468
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1504

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1776
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2876

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2248
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "896000237638072582-1279341598195984486825820339-57189112310866438601242809477"
1⤵
PID:292

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2084
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2136

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2089934195-208365090730485763516636261548096557141377105864-847847665-2108817709"
1⤵
PID:1056

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:580
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2656

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2956
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2736

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1652
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3064

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2548
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19191420621436808409-1096561330181804088-2572648132071176605-1904715810208635426"
1⤵
PID:2900

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1536
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2212

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:912

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2208
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2676

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2912
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2592

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2948
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:496

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1592
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2704

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1708
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-500634433-275719996-1490415335140289431-135827435795873831261944476290605844"
1⤵
PID:2652

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2164
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1444

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2172
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3111493561065976342-1760863254782472570-16908058538948889071116795507-1879535850"
1⤵
PID:1552

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:928
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2736

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2976
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2128

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1676
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2344

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3068
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1780

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2216
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2524

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:376
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1316270402-475988148-177962106216468343867482123542012168048-832854892-662733509"
1⤵
PID:2324

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1368
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2372

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2856
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
29ce53e2a4a446614ccc8d64d346bde4

SHA1
39a7aa5cc1124842aa0c25abb16ea94452125cbe

SHA256
56225be6838bc6e93ea215891eacf28844ae27a9f8b2b29bf19d3a8c2b1f58df

SHA512
b2c5a2708c427171a5715801f8ea733ffe88d73aaaaf59c5c752ea32cbe7aae8526cc26eabe84ad5043174c0c69b1d6b15a9fb125c15accfac3462d5d08a0faa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
9b213ab7e24254c54d4106b4a42bce40

SHA1
cadbef3fae6fb59a252a62573e81be7c0e8c5e2d

SHA256
1fba736c82bf1e934fb3e6d8b1d461c09a9ef093cf1d03dfea4a901baf374df2

SHA512
a133e3d79dc7ffae62a90ad3b982e0ad306749dc11ff69daca2004d413bf7595aac941e514af9b4374c53e19f474cab37bf2220f2625c4b6d55465372ef42783

Download Submit
C:\Windows\SysWOW64\ini.ini

Filesize
45B

MD5
a08a46a0d2787378c0c181f1f11d35d0

SHA1
00b8ee63e73ccb6466cad64b743e1a494ed25e84

SHA256
9154bb3bc0860f3579e7015001bbfa00afe188321d6748e96e5db1f0bf863040

SHA512
738be9ceb340a287cef03dcc0a6062752333ed4a4e97c51bc3253048d93d5cc14b8f50b742bb0317de5200b639245c9dc8b7fa33ad57af61db70e06dba4bd73d

Download Submit
\Users\Admin\AppData\Local\Temp\AK47.exe

Filesize
91KB

MD5
423eb994ed553294f8a6813619b8da87

SHA1
eca6a16ccd13adcfc27bc1041ddef97ec8081255

SHA256
050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

SHA512
fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

Download Submit
\Users\Admin\AppData\Local\Temp\AK74.exe

Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
7fab149432584c5eece8ddf6a0971273

SHA1
6ff59977e1d8ab8d1907272ec904e4e9eff7a3ee

SHA256
4f932128a44b066e5954a5df3aa08baeafaeb21e16c3fcf5965193392fa70ed4

SHA512
176cbafb6ab80db0e02ffc7ca7994283579d5f2fe07872517497b47db1dff9d3e8bbc22b577fb912bbc71799e1312c626150ef469cdc45ac5004eab4a484e325

Download Submit
\Windows\SysWOW64\259446198.txt

Filesize
49KB

MD5
df925cce839a4e6400f3ea120089befe

SHA1
dd93bffd2460703e538f64cd34cc33faa49f7826

SHA256
b9b821302b719ecba2ddcf314714c05a9d9303d2fbe25ba77c0d1d7e1fff5743

SHA512
ed6b7191886a93037c848cbbc46ad4b0f5e528e9a7dc847eea769b40d1c7c0a23d34bb5fb6a5db9fc6e3fd7b3798c8918a23f37d04cc2ab7e289ad90275f20d4

Download Submit
memory/688-155-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/832-26-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/832-28-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/832-29-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/896-570-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/896-707-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1156-679-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1344-626-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1508-777-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1520-305-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1520-274-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1536-193-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1568-824-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1612-113-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1612-72-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1816-425-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1816-397-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1868-804-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1868-394-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1908-853-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1908-829-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2020-71-0x0000000005DA0000-0x0000000006100000-memory.dmp

Filesize
3.4MB

Download
memory/2020-335-0x0000000005DA0000-0x0000000006100000-memory.dmp

Filesize
3.4MB

Download
memory/2084-329-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2096-273-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2096-1-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2096-65-0x0000000000820000-0x0000000000830000-memory.dmp

Filesize
64KB

Download
memory/2096-64-0x0000000000820000-0x0000000000830000-memory.dmp

Filesize
64KB

Download
memory/2096-0-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2176-509-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2440-483-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2652-598-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2660-541-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2672-455-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2732-214-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2732-236-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2852-272-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2860-729-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2880-48-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2880-54-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2880-53-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2880-49-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2880-47-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2880-41-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2896-364-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2896-334-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2916-659-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2916-631-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2920-213-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2932-757-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download