Analysis
-
max time kernel
79s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-11-2024 20:16
Behavioral task
behavioral1
Sample
ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe
Resource
win7-20240708-en
General
-
Target
ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe
-
Size
1.2MB
-
MD5
f95f3c6e0603aa55308400190b9d359b
-
SHA1
f2f86593989e3950566e842066c48c054312ab18
-
SHA256
ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544
-
SHA512
4c1a151a6eda966a73ea2e5a65db473ad1f9970c87d10fe92a8f00ef081a6a2f406df74fb855912b521d1f9c37227aa605cf99560510977fae9941409a52f2fb
-
SSDEEP
24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJti6:WIwgMEuy+inDfp3/XoCw57XYBwK6
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2736-24-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/2736-23-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/2548-50-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/2548-53-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/2548-57-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/1696-277-0x0000000005C70000-0x0000000005FD0000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 7 IoCs
resource yara_rule behavioral1/files/0x0008000000016ce8-15.dat family_gh0strat behavioral1/memory/2736-24-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/2736-23-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/2548-50-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/2548-53-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/2548-57-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/1696-277-0x0000000005C70000-0x0000000005FD0000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Ghiya.exe -
Server Software Component: Terminal Services DLL 1 TTPs 17 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259463795.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259465090.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259468335.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259465074.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259468928.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259469021.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259470722.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259472453.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259459599.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259462532.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259463826.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259467227.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259467212.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259468319.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259469801.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259471595.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259472438.txt" AK47.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Ghiya.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe -
Executes dropped EXE 64 IoCs
pid Process 2408 AK47.exe 2340 AK47.exe 2736 AK74.exe 2656 Ghiya.exe 2548 Ghiya.exe 1948 svchcst.exe 1672 AK47.exe 1888 AK47.exe 1644 AK74.exe 2176 Ghiya.exe 2244 Ghiya.exe 2932 svchcst.exe 1256 AK47.exe 2124 AK47.exe 1736 AK74.exe 1548 Ghiya.exe 2492 Ghiya.exe 2336 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe 2344 svchcst.exe 2204 AK47.exe 308 AK47.exe 1700 AK74.exe 2660 Ghiya.exe 2980 Ghiya.exe 2752 svchcst.exe 2516 AK47.exe 2348 AK47.exe 2144 AK74.exe 2852 Ghiya.exe 1988 Ghiya.exe 2556 svchcst.exe 1144 AK47.exe 1316 AK47.exe 344 AK74.exe 2104 Ghiya.exe 2148 Ghiya.exe 1072 svchcst.exe 1720 AK47.exe 580 AK47.exe 2240 AK74.exe 2124 Ghiya.exe 1844 Ghiya.exe 2936 svchcst.exe 1260 AK47.exe 2972 AK47.exe 872 AK74.exe 392 Ghiya.exe 2300 Ghiya.exe 980 svchcst.exe 2624 AK47.exe 2700 AK47.exe 1000 AK74.exe 2684 Ghiya.exe 3056 Ghiya.exe 2708 svchcst.exe 2560 AK47.exe 3044 AK47.exe 2504 AK74.exe 2996 Ghiya.exe 1144 Ghiya.exe 3036 svchcst.exe 2096 AK47.exe 2912 AK47.exe 3048 AK74.exe -
Loads dropped DLL 64 IoCs
pid Process 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 2408 AK47.exe 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 2840 svchost.exe 2656 Ghiya.exe 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 1696 WScript.exe 1948 svchcst.exe 1948 svchcst.exe 1672 AK47.exe 1948 svchcst.exe 2176 Ghiya.exe 2932 svchcst.exe 2932 svchcst.exe 1256 AK47.exe 2124 AK47.exe 2932 svchcst.exe 1548 Ghiya.exe 2840 svchost.exe 2336 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe 2344 svchcst.exe 2344 svchcst.exe 2204 AK47.exe 308 AK47.exe 2344 svchcst.exe 2660 Ghiya.exe 2752 svchcst.exe 2752 svchcst.exe 2516 AK47.exe 2752 svchcst.exe 2852 Ghiya.exe 2556 svchcst.exe 2556 svchcst.exe 1144 AK47.exe 1316 AK47.exe 2556 svchcst.exe 2104 Ghiya.exe 1072 svchcst.exe 1072 svchcst.exe 1720 AK47.exe 580 AK47.exe 1072 svchcst.exe 2124 Ghiya.exe 2936 svchcst.exe 2936 svchcst.exe 1260 AK47.exe 2972 AK47.exe 2936 svchcst.exe 392 Ghiya.exe 980 svchcst.exe 980 svchcst.exe 980 svchcst.exe 2624 AK47.exe 2684 Ghiya.exe 2708 svchcst.exe 2708 svchcst.exe 2560 AK47.exe 2708 svchcst.exe 2996 Ghiya.exe 3036 svchcst.exe 3036 svchcst.exe 2096 AK47.exe -
resource yara_rule behavioral1/memory/2020-0-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2020-1-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/files/0x000a000000016d71-58.dat vmprotect behavioral1/memory/1948-71-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/1948-113-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2932-157-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2020-169-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2344-210-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2752-240-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2556-272-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/1072-308-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2936-311-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2936-339-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/980-343-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/980-368-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2708-399-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/3036-428-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2896-459-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/1436-464-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/1436-489-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2656-509-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/1744-539-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/896-540-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/896-565-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/940-586-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2648-611-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/1388-616-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/1388-641-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2708-667-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2556-668-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2556-693-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2220-718-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2408-740-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2596-771-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/1800-796-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2000-817-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2932-843-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2240-871-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe -
Drops file in System32 directory 44 IoCs
description ioc Process File created C:\Windows\SysWOW64\259468928.txt AK47.exe File created C:\Windows\SysWOW64\259469801.txt AK47.exe File created C:\Windows\SysWOW64\259470722.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\259462532.txt AK47.exe File created C:\Windows\SysWOW64\259468319.txt AK47.exe File created C:\Windows\SysWOW64\259472438.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\259463795.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\259469801.txt AK47.exe File opened for modification C:\Windows\SysWOW64\Ghiya.exe AK74.exe File created C:\Windows\SysWOW64\259468335.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\259465090.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File created C:\Windows\SysWOW64\259465074.txt AK47.exe File created C:\Windows\SysWOW64\259469021.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\259459599.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\259467212.txt AK47.exe File created C:\Windows\SysWOW64\259466322.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\259470722.txt AK47.exe File created C:\Windows\SysWOW64\Ghiya.exe AK74.exe File created C:\Windows\SysWOW64\259463826.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\259471595.txt AK47.exe File created C:\Windows\SysWOW64\259472453.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\259471595.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\259462532.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\259466322.txt AK47.exe File created C:\Windows\SysWOW64\259467227.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe -
resource yara_rule behavioral1/memory/2736-24-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/2736-23-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/2736-21-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/2548-50-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/2548-53-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/2548-57-0x0000000010000000-0x00000000101BA000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 916 cmd.exe 1752 cmd.exe 3032 PING.EXE 1640 cmd.exe 2236 PING.EXE 896 PING.EXE 2648 Process not Found 2764 cmd.exe 2156 cmd.exe 2772 cmd.exe 1492 PING.EXE 1716 PING.EXE 1544 PING.EXE 2208 cmd.exe 1496 cmd.exe 1968 PING.EXE 1068 PING.EXE 1316 PING.EXE 2128 PING.EXE 2580 Process not Found 1960 cmd.exe 2576 cmd.exe 2764 cmd.exe 1192 PING.EXE 2188 Process not Found 2528 Process not Found 1492 Process not Found 2784 Process not Found 1952 PING.EXE 1700 PING.EXE 344 cmd.exe 2764 PING.EXE 752 Process not Found 1736 Process not Found 1600 cmd.exe 3036 cmd.exe 2564 PING.EXE 1580 PING.EXE 2832 Process not Found 2152 Process not Found 1148 PING.EXE 2592 PING.EXE 2448 PING.EXE 3036 PING.EXE 2096 PING.EXE 2252 Process not Found 1856 Process not Found 2480 Process not Found 1544 Process not Found 1808 Process not Found 2124 PING.EXE 1948 PING.EXE 3044 PING.EXE 1672 PING.EXE 2964 Process not Found 3012 Process not Found 2068 PING.EXE 344 cmd.exe 2456 Process not Found 2404 PING.EXE 1600 Process not Found 428 PING.EXE 1348 cmd.exe 968 cmd.exe -
Runs ping.exe 1 TTPs 64 IoCs
pid Process 2156 Process not Found 3004 PING.EXE 1236 PING.EXE 1968 PING.EXE 2484 PING.EXE 1064 Process not Found 2532 Process not Found 2240 Process not Found 2124 PING.EXE 1684 PING.EXE 2468 PING.EXE 2128 PING.EXE 2652 Process not Found 2264 PING.EXE 1700 PING.EXE 2272 PING.EXE 2592 PING.EXE 2576 PING.EXE 2444 PING.EXE 1808 Process not Found 2420 PING.EXE 1704 Process not Found 2480 Process not Found 2092 Process not Found 2760 Process not Found 1700 PING.EXE 1596 Process not Found 2188 Process not Found 1492 PING.EXE 2236 Process not Found 2256 PING.EXE 1744 PING.EXE 1744 PING.EXE 1740 PING.EXE 2236 PING.EXE 1260 PING.EXE 2576 PING.EXE 1356 PING.EXE 392 PING.EXE 836 PING.EXE 2736 PING.EXE 2504 PING.EXE 1552 Process not Found 1472 PING.EXE 1036 PING.EXE 1684 PING.EXE 1856 Process not Found 1544 Process not Found 2184 PING.EXE 2068 PING.EXE 2972 Process not Found 2868 Process not Found 2636 Process not Found 1704 PING.EXE 1324 PING.EXE 2584 PING.EXE 776 PING.EXE 2096 PING.EXE 1324 PING.EXE 1384 PING.EXE 2668 Process not Found 3036 PING.EXE 1436 PING.EXE 2684 Process not Found -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2548 Ghiya.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2736 AK74.exe Token: SeLoadDriverPrivilege 2548 Ghiya.exe Token: SeIncBasePriorityPrivilege 1644 AK74.exe Token: SeIncBasePriorityPrivilege 1736 AK74.exe Token: SeIncBasePriorityPrivilege 1700 AK74.exe Token: SeIncBasePriorityPrivilege 2144 AK74.exe Token: SeIncBasePriorityPrivilege 344 AK74.exe Token: SeIncBasePriorityPrivilege 2240 AK74.exe Token: SeIncBasePriorityPrivilege 872 AK74.exe Token: SeIncBasePriorityPrivilege 1000 AK74.exe Token: SeIncBasePriorityPrivilege 2504 AK74.exe Token: SeIncBasePriorityPrivilege 3048 AK74.exe Token: SeIncBasePriorityPrivilege 1040 AK74.exe Token: SeIncBasePriorityPrivilege 2732 AK74.exe Token: SeIncBasePriorityPrivilege 1764 AK74.exe Token: SeIncBasePriorityPrivilege 2140 AK74.exe Token: SeIncBasePriorityPrivilege 2892 AK74.exe Token: SeIncBasePriorityPrivilege 2412 AK74.exe Token: SeIncBasePriorityPrivilege 2328 AK74.exe Token: SeIncBasePriorityPrivilege 2516 AK74.exe Token: SeIncBasePriorityPrivilege 2104 AK74.exe Token: SeIncBasePriorityPrivilege 3048 AK74.exe Token: SeIncBasePriorityPrivilege 1792 AK74.exe Token: SeIncBasePriorityPrivilege 2704 AK74.exe Token: SeIncBasePriorityPrivilege 2768 AK74.exe Token: SeIncBasePriorityPrivilege 1900 AK74.exe Token: SeIncBasePriorityPrivilege 2096 AK74.exe Token: SeIncBasePriorityPrivilege 2488 AK74.exe Token: SeIncBasePriorityPrivilege 2668 AK74.exe Token: SeIncBasePriorityPrivilege 2780 AK74.exe Token: SeIncBasePriorityPrivilege 1892 AK74.exe Token: SeIncBasePriorityPrivilege 2588 AK74.exe Token: SeIncBasePriorityPrivilege 752 AK74.exe Token: SeIncBasePriorityPrivilege 2332 AK74.exe Token: SeIncBasePriorityPrivilege 2016 AK74.exe Token: SeIncBasePriorityPrivilege 1148 AK74.exe Token: SeIncBasePriorityPrivilege 2000 AK74.exe Token: SeIncBasePriorityPrivilege 3020 AK74.exe Token: SeIncBasePriorityPrivilege 2408 AK74.exe Token: SeIncBasePriorityPrivilege 1844 AK74.exe Token: SeIncBasePriorityPrivilege 2528 AK74.exe Token: SeIncBasePriorityPrivilege 1832 AK74.exe Token: SeIncBasePriorityPrivilege 2844 AK74.exe Token: SeIncBasePriorityPrivilege 2704 AK74.exe Token: SeIncBasePriorityPrivilege 2148 AK74.exe Token: SeIncBasePriorityPrivilege 2816 AK74.exe Token: SeIncBasePriorityPrivilege 2392 AK74.exe Token: SeIncBasePriorityPrivilege 1856 AK74.exe Token: SeIncBasePriorityPrivilege 2300 AK74.exe Token: SeIncBasePriorityPrivilege 1676 AK74.exe Token: SeIncBasePriorityPrivilege 1680 AK74.exe Token: SeIncBasePriorityPrivilege 916 AK74.exe Token: SeIncBasePriorityPrivilege 1660 AK74.exe Token: SeIncBasePriorityPrivilege 2300 AK74.exe Token: SeIncBasePriorityPrivilege 1952 AK74.exe Token: SeIncBasePriorityPrivilege 1680 AK74.exe Token: SeIncBasePriorityPrivilege 896 AK74.exe Token: SeIncBasePriorityPrivilege 1660 AK74.exe Token: SeIncBasePriorityPrivilege 2572 AK74.exe Token: SeIncBasePriorityPrivilege 1952 AK74.exe Token: SeIncBasePriorityPrivilege 1680 AK74.exe Token: SeIncBasePriorityPrivilege 2000 AK74.exe Token: SeIncBasePriorityPrivilege 2652 AK74.exe Token: SeIncBasePriorityPrivilege 1088 AK74.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 1948 svchcst.exe 1948 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2344 svchcst.exe 2344 svchcst.exe 2752 svchcst.exe 2752 svchcst.exe 2556 svchcst.exe 2556 svchcst.exe 1072 svchcst.exe 1072 svchcst.exe 2936 svchcst.exe 2936 svchcst.exe 980 svchcst.exe 980 svchcst.exe 2708 svchcst.exe 2708 svchcst.exe 3036 svchcst.exe 3036 svchcst.exe 2896 svchcst.exe 2896 svchcst.exe 1436 svchcst.exe 1436 svchcst.exe 2656 svchcst.exe 2656 svchcst.exe 1744 svchcst.exe 1744 svchcst.exe 896 svchcst.exe 896 svchcst.exe 940 svchcst.exe 940 svchcst.exe 2648 svchcst.exe 2648 svchcst.exe 1388 svchcst.exe 1388 svchcst.exe 2708 svchcst.exe 2708 svchcst.exe 2556 svchcst.exe 2556 svchcst.exe 2220 svchcst.exe 2220 svchcst.exe 2408 svchcst.exe 2408 svchcst.exe 2596 svchcst.exe 2596 svchcst.exe 1800 svchcst.exe 1800 svchcst.exe 2000 svchcst.exe 2000 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 2240 svchcst.exe 2240 svchcst.exe 1700 svchcst.exe 1700 svchcst.exe 2816 svchcst.exe 2816 svchcst.exe 2076 svchcst.exe 2076 svchcst.exe 1608 svchcst.exe 1608 svchcst.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2020 wrote to memory of 2408 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 30 PID 2020 wrote to memory of 2408 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 30 PID 2020 wrote to memory of 2408 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 30 PID 2020 wrote to memory of 2408 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 30 PID 2020 wrote to memory of 2340 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 31 PID 2020 wrote to memory of 2340 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 31 PID 2020 wrote to memory of 2340 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 31 PID 2020 wrote to memory of 2340 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 31 PID 2020 wrote to memory of 2736 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 32 PID 2020 wrote to memory of 2736 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 32 PID 2020 wrote to memory of 2736 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 32 PID 2020 wrote to memory of 2736 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 32 PID 2020 wrote to memory of 2736 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 32 PID 2020 wrote to memory of 2736 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 32 PID 2020 wrote to memory of 2736 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 32 PID 2736 wrote to memory of 2520 2736 AK74.exe 36 PID 2736 wrote to memory of 2520 2736 AK74.exe 36 PID 2736 wrote to memory of 2520 2736 AK74.exe 36 PID 2736 wrote to memory of 2520 2736 AK74.exe 36 PID 2656 wrote to memory of 2548 2656 Ghiya.exe 38 PID 2656 wrote to memory of 2548 2656 Ghiya.exe 38 PID 2656 wrote to memory of 2548 2656 Ghiya.exe 38 PID 2656 wrote to memory of 2548 2656 Ghiya.exe 38 PID 2656 wrote to memory of 2548 2656 Ghiya.exe 38 PID 2656 wrote to memory of 2548 2656 Ghiya.exe 38 PID 2656 wrote to memory of 2548 2656 Ghiya.exe 38 PID 2520 wrote to memory of 2068 2520 cmd.exe 39 PID 2520 wrote to memory of 2068 2520 cmd.exe 39 PID 2520 wrote to memory of 2068 2520 cmd.exe 39 PID 2520 wrote to memory of 2068 2520 cmd.exe 39 PID 2020 wrote to memory of 1696 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 40 PID 2020 wrote to memory of 1696 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 40 PID 2020 wrote to memory of 1696 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 40 PID 2020 wrote to memory of 1696 2020 ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe 40 PID 1696 wrote to memory of 1948 1696 WScript.exe 42 PID 1696 wrote to memory of 1948 1696 WScript.exe 42 PID 1696 wrote to memory of 1948 1696 WScript.exe 42 PID 1696 wrote to memory of 1948 1696 WScript.exe 42 PID 1948 wrote to memory of 1672 1948 svchcst.exe 43 PID 1948 wrote to memory of 1672 1948 svchcst.exe 43 PID 1948 wrote to memory of 1672 1948 svchcst.exe 43 PID 1948 wrote to memory of 1672 1948 svchcst.exe 43 PID 1948 wrote to memory of 1888 1948 svchcst.exe 44 PID 1948 wrote to memory of 1888 1948 svchcst.exe 44 PID 1948 wrote to memory of 1888 1948 svchcst.exe 44 PID 1948 wrote to memory of 1888 1948 svchcst.exe 44 PID 1948 wrote to memory of 1644 1948 svchcst.exe 45 PID 1948 wrote to memory of 1644 1948 svchcst.exe 45 PID 1948 wrote to memory of 1644 1948 svchcst.exe 45 PID 1948 wrote to memory of 1644 1948 svchcst.exe 45 PID 1948 wrote to memory of 1644 1948 svchcst.exe 45 PID 1948 wrote to memory of 1644 1948 svchcst.exe 45 PID 1948 wrote to memory of 1644 1948 svchcst.exe 45 PID 2176 wrote to memory of 2244 2176 Ghiya.exe 48 PID 2176 wrote to memory of 2244 2176 Ghiya.exe 48 PID 2176 wrote to memory of 2244 2176 Ghiya.exe 48 PID 2176 wrote to memory of 2244 2176 Ghiya.exe 48 PID 2176 wrote to memory of 2244 2176 Ghiya.exe 48 PID 2176 wrote to memory of 2244 2176 Ghiya.exe 48 PID 2176 wrote to memory of 2244 2176 Ghiya.exe 48 PID 1644 wrote to memory of 2072 1644 AK74.exe 47 PID 1644 wrote to memory of 2072 1644 AK74.exe 47 PID 1644 wrote to memory of 2072 1644 AK74.exe 47 PID 1644 wrote to memory of 2072 1644 AK74.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe"C:\Users\Admin\AppData\Local\Temp\ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2408
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe2⤵
- Executes dropped EXE
PID:2340
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2068
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1672
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1888
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:428
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1256
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2124
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1088
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1000
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2204
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:308
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2812
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2524
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2348
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2516
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:664
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2520
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1144
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1316
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2208 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2184
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1072 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1720
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:580
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2128
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1764
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1260
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2972
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1600
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2272
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:980 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2624
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2372
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1472
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2560
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3044
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1924
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1048
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2096
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2912
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1840
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1780
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
PID:2072
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3000
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1548
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2444
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2648
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1640 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1068
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2816
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1600 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2068
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2876
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2708
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2372
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2588
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:896 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2784
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2500
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:344
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2488
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:940 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1824
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2040
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2972
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2264
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2652
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1176
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:628
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:3004
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:1388 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1456
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2720
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2852
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1148
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2868
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2584
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2860
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2180
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:736
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2288
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2124
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1724
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2084
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:748
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:392
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2736
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2936
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2804
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2756
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2848
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1808
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
PID:2392
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2396
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:2104
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2764 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2800
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1756
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2184
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1960
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1724
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1856
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1072
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:916 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
PID:2256
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1048
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:1436
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1500
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:392
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2128
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2160
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:576
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1984
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2156
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2172
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:664
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2376
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1552
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:1716
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1952
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1324
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1760
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2040
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1496 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1704
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2460
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2304
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1572
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1968
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2524
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1236
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2140
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:916
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1744
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:1068
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1348 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2592
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2876
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1052
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:580 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2624
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:968
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2860
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2584
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2488
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1952
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:620
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2728
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2448
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2140
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1676
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2456
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1384
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1068
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2356
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3036 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
PID:1744
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1492
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1240
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2084
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1348
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2652
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1660
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2484
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1324
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2240
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2492
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2848
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1332
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2724
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:336
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
PID:1740
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2532
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1544
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2380
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2456
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3012
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2096
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2372
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:3036
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:580
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:752
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1536
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3032
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:2500 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1144
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:680
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2088
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2156 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:836
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1892
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1800
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2496
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2992
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1716
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2988
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1984
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2584
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1792
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2072
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2476
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2832
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1924
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1436
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2780
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:968 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1700
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2708
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:816
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1844
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1960 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2404
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1176
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1000
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1384
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2756
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:776
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1240
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:444
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1968
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
PID:1652
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:3024
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1356
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:344 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:752
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2968
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:2832
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:620
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:876
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2444
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1948
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2596
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1000 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2528
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:748
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2576 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1960
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2580
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2992
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:1456
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2876
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2552
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:992
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2160
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2024
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1984
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1968
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2144
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:1260 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2260
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2708
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:1332
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2220
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2564
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2768
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1692
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1544
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1620
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1948
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:444
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2992
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1744
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2784
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2576
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2908
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1780
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1652
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1684
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1636
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:2420
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2408
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2640
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3044
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2388
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1952
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2748
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2524
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1260
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1680
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2224
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2412
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1148
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2148
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2120
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2380
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:580
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:444
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1700
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:3064
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1780
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:992
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2772 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1324
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2660
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2420
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:344 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2968
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2760
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2244
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:3028
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
PID:3036
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2064
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:676
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2596
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1236
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1500
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:980
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2000
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1600
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1068
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2208
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1580
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2692
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2764
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2032
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1752
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2308
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1824
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:2272
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2628
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2468
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1036
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2964
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2904
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2356
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1808
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1996
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:2816
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2096
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1744
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1500
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1728
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:3012
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2524
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2304
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:1980
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2148
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2980
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1576
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2668
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2700
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2532
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:1144
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2156
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2768
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:872
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2584
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1040
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2684
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1304
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2588
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2196
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2520
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2948
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2892
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:896
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:3064
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1260
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2000
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2236
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1072
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1068
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2936
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2488
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2736
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1324
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2272
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2692
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1856
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1924
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2636
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1332
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1732
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2440
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1176
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:980
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:868
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2164
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2468
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1388
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2460
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:580
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2644
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1720
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1472
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:3028
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2356
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:680
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2576
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1984
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2876
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1480
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1752 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2860
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1056
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2488
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2620
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1704
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2404
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:336
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2260
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1444
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1824
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2600
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:748
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2440
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2832
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:876
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1580
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2504
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1508
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2188
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1492
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2644
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2092
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1536
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1968
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2764 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1356
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2704
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2920
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2536
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:3032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2484
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2716
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2668
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2228
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1652
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1684
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1436
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:3036
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2500
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2700
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2440
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2444
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1644
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2172
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1832
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2908
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:896
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:936
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1352
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:628
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1636
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1968
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1888
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2100
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2204
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2136
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3032
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2612
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2168
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1240
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2688
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1608
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:3004
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1000
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1444
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2592
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1544
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2528
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1976
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1456
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2200
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2504
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2384
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1660
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2968
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:936
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2420
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1068
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1760
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2936
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2408
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1492
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:444
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2612
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1144
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1924
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2240
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2088
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1788
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2016
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1672
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2340
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1772
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:3044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2196
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1684
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2596
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:856
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2700
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2392
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:3024
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:596
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:684
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1068
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2096
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2520
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1736
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2388
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2692
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1316
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:392
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2572
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1708
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1728
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1716
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2136
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2308
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2716
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1704
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2484
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2220
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1516
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:3048
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1824
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3036
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1832
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1800
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1508
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1572
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2356
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1192
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2256
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:3064
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2480
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2096
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2208
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1888
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:936
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2636
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2128
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2748
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2088
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:3032
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1088
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:2672
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259459599.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:2244
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:2492
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:2980
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:1988
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:2148
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:1844
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:392 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:2300
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:3056
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:1144
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1052
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:444
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-116725316212548214214303005171344693569-7306807351551888229-15043944002095384914"1⤵PID:1720
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2932
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1260
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2980
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2632
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2260
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2224
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2996
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1908
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1052
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1048
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1233678843-12358472911183455941-1089575767-10829828292090969313-865768296-1514755288"1⤵PID:1924
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3028
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1260
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1436
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2480
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2712
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1988
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-14290032001977581502-1167130930804857847-1050591789-1248000509-116033514-1833686141"1⤵PID:1068
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1744
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2996
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:896
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2476
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1766186252-696800364-1676755629-1249705406-514081952-532152929-12464247651841999967"1⤵PID:3000
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1660
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2308
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2728
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1288
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2016
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3004
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1982618916-947783764-1955515695-76155804261841444-2106981601-4560974141647170455"1⤵PID:1988
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2948
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2532
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2556
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2468
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-13178876981222020126459319747-956798811129086667-152827203-953062529-801548278"1⤵PID:2476
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1260
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:560
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2728
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1636
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2752
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:980
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "8272234856077450001983512225-7343296059895963127501397743538592721320281957"1⤵PID:2224
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2532
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "804706331-76711503-7321583542043650696262760624158948830-205056606-1488668928"1⤵PID:736
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1316
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "748735228170827054720326827941856883076-2057069223-885280399519720479330627865"1⤵PID:2180
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2488
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3064
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "780664935-384067380827809909482442391-1689846239-78421738216522382531655820746"1⤵PID:1260
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2812
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2848
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-17037979542077848407-936869970-1811611546598032582-1401609766-1309946540-780179976"1⤵PID:1808
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:980
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2560
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2104
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2176
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2084
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1536
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2936
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2660
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2748
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1388
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2516
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:816
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2172
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1672
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "108021899317343239648514497971354411905637010232-984408156-1655708227-525368417"1⤵PID:1456
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1036
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2688
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1886097581-12472284271020008082-140403311417360765875535539406103042571279664295"1⤵PID:2468
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1932
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3064
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2824
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1176
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2100
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2576
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1955299037165452467-1690173173-476350642-13260953191324798276405955531426731740"1⤵PID:2560
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2744
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:428
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:736
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:284
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1732
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2476
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2672
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1824
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:352
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2328
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1980
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2060
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1659244563-18128212579571551615507907504410491032015622404-18328614-1851935841"1⤵PID:2728
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1744
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:284
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1780
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1288
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2660
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:876
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2328
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1516
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1980
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2920
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1724
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2076
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2032
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1260
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1548
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2140
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1788
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1712
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1716
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2920
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1592
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2128
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-666353352134386414-20081609641967161830-215832770-1988750047-2059432456-957230767"1⤵PID:2584
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3036
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2948
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2800
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1148
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:924
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:736
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2516
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1608
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1480
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2780
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1461830918794787748-1209977668-14697864211601376231342429070-11177315611754420008"1⤵PID:2688
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1064
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2532
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "13709372503621191626459319781494060988122161880-7391812111417134762-1283102823"1⤵PID:2372
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2972
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2816
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1754727948393026682785402551543881836-17836199162067578458-467746200-1446288344"1⤵PID:2724
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- System Location Discovery: System Language Discovery
PID:1068 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2920
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "16266297472141176509-1525290386-3563756081512380758501694518410206861564496638"1⤵PID:1792
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2652
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2764
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2408
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2672
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-457187075-1387614192-3828762211888916009-1213627525-2057048312-1520912829-663351230"1⤵PID:1436
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2708
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2684
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2376
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1612
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1492
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1988
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "3938374641874547437-1008655494-340366718542561459-2010938005529524826-1995853237"1⤵PID:924
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1760
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2936
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2348
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2408
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1210485829247701224542329411-677759849952667351760143529-1734667124-1836252355"1⤵PID:2016
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2712
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2916
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1544
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3036
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1776
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1832
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1260
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2124
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2936
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:444
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:816
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2692
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2744
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2716
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1004497758-161965995621230622271342303749-553205564-137893131-666421451755729573"1⤵PID:1824
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2340
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2976
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "657779636-864500017-18688077422478343601741560513-455552608-708629093-1110966978"1⤵PID:2060
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- System Location Discovery: System Language Discovery
PID:1832 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2864
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2728
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2988
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3032
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1984
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1348
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2896
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:336
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1684
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1680
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2444
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1272
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1780
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1072
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2496
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1548
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2300
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2844
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1652
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1654391110548233287-873914387-16836165311826942366-1965908771-1941225219-630293550"1⤵PID:2708
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:932
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2768
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:916
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1832
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2372
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2892
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3000
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2408
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "607140687-1962488423-4827402784333051021560803547-876898778580874850702311055"1⤵PID:1756
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2612
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:392
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2148
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1996
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2060
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2376
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1660
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2992
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1141496118-1268800820-1735130147264464172849921545-14020019941155157709766635159"1⤵PID:1980
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1620
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2936
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2692
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2884
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2240
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1788
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1369232798-998058478-2528603691214777653-1744724506130606564948356684-262067166"1⤵PID:2552
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2396
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2768
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:980
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2600
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2140
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3064
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1180
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2100
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1691640331-1610013799-1562585078-1240883956933096843-14217243222070306360203599512"1⤵PID:2304
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1900
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2144
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2996
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2816
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:344
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1496
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2784
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1660
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1554112625-913891421828994506-123772943418264909221110384742-1954684477-1070627415"1⤵PID:2024
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1808
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2496
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:580
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:680
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1952
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2408
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1381119365649397136858634911-773704923774454172054153352-1796699776501665655"1⤵PID:1652
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1144
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2340
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-19337711551343969782-1729993629-1229349834-1393025208-415739891736458329-335626122"1⤵PID:1772
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3040
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:980
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2792
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:908
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:992
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2332
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2040
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2144
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2712
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD529ce53e2a4a446614ccc8d64d346bde4
SHA139a7aa5cc1124842aa0c25abb16ea94452125cbe
SHA25656225be6838bc6e93ea215891eacf28844ae27a9f8b2b29bf19d3a8c2b1f58df
SHA512b2c5a2708c427171a5715801f8ea733ffe88d73aaaaf59c5c752ea32cbe7aae8526cc26eabe84ad5043174c0c69b1d6b15a9fb125c15accfac3462d5d08a0faa
-
Filesize
753B
MD59469186927e2ff2448b3be012f683cca
SHA153ccdfb2df03efb3f5325479c2701f1da4ba5643
SHA256b7725f38f15ed0a0fd13806d87dfa9c2ab8477a2201bc8707c9e7794a0131c57
SHA5129bfbd9484823c578bd741c078b95cdc2df24f2d64641f431f6fbbea0da5a01979bd1239f5c58dc2f58889aabd51ec3438f3be71865d03c788574aeba2589fb0a
-
Filesize
90B
MD545a93f0ecc3fd6133115720510a73fef
SHA10452596780512194a68ad64bec0cec93d41c2ac1
SHA2565ed11a24ffbfe04b4fcb82533fd21e5044d9f796e6fc5f8db1fdda009e3ed2fb
SHA512a1ee9e3e97d9af9ab09b8cdd4a1957eef00e8f0acaf3ab9995ac3b5c224c7c3a1f20f107fcf85ae4ce21bf72eb739b2a2f5319b5c47b4e67eb0a629801717e20
-
Filesize
45B
MD5809f53c5859cc4d0a188855255ca3171
SHA1b9030cbc816f5e0b11fad0a45580fb22a1b1ce59
SHA2567f56e7cbd255033124e124460f185d40c8c39f5b340e7529db640e2f1315ea79
SHA5125da1df4f3db1fc08efabe71835b332d556f97abf3a1d918c40df4be137b915d91d61aa8f9274609000f96a4bf98bb0233c1ed297e845488de113cb8df49cdb63
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
91KB
MD5423eb994ed553294f8a6813619b8da87
SHA1eca6a16ccd13adcfc27bc1041ddef97ec8081255
SHA256050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218
SHA512fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095
-
Filesize
400KB
MD5b0998aa7d5071d33daa5b60b9c3c9735
SHA19365a1ff0c6de244d6f36c8d84072cc916665d3c
SHA2563080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a
SHA512308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850
-
Filesize
1.2MB
MD5fd362b3bf7400e141df5ed17f969e890
SHA1b96785d1266c939fa8645adb11fdc5e677a89e9d
SHA256736c6fc2ee9ffc369d4556e9fcd47e31fd45186ed814108dac4bc6e2c048f4f8
SHA5120bbcfe49902a5c12ab0c50701ae59f5bf3c8ebe6206251f8453089ef7b303b12a84407d6c60f79ed202cb4c09829b410491bf3a924d882169c2049ea7c785ae2
-
Filesize
49KB
MD509e9211b58397b730f0d68f4fc7dd72f
SHA1768697bf04b0f0e0965885911dc0d441831c29b7
SHA2565277b63bb8d13a83265b9e88c3c4f002d85dad1d7447569442b96dee0004a483
SHA5126585866521e3629b9859fbafe04f13f018f71893dc31041fe7490d1f62c756ec9bf8dddc1d2fae237178307ddd405b3470919a74cca2e85bdb4401950956a143