Analysis Overview
SHA256
ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544
Threat Level: Known bad
The file ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544 was found to be: Known bad.
Malicious Activity Summary
Gh0strat
Detect PurpleFox Rootkit
Purplefox family
Gh0st RAT payload
PurpleFox
Gh0strat family
Sets service image path in registry
Server Software Component: Terminal Services DLL
Drops file in Drivers directory
Checks computer location settings
VMProtect packed file
Drops startup file
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
UPX packed file
Drops file in System32 directory
Program crash
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-19 20:16
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-19 20:16
Reported
2024-11-19 20:19
Platform
win7-20240708-en
Max time kernel
79s
Max time network
152s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
PurpleFox
Purplefox family
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\QAssist.sys | C:\Windows\SysWOW64\Ghiya.exe | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259463795.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259465090.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259468335.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259465074.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259468928.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259469021.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259470722.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259472453.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259459599.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259462532.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259463826.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259467227.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259467212.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259468319.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259469801.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259471595.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259472438.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" | C:\Windows\SysWOW64\Ghiya.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk | C:\Users\Admin\AppData\Local\Temp\ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe | N/A |
Executes dropped EXE
Loads dropped DLL
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" | C:\Users\Admin\AppData\Local\Temp\ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\259468928.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259469801.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259470722.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259462532.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259468319.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259472438.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259463795.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259469801.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ghiya.exe | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| File created | C:\Windows\SysWOW64\259468335.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259465090.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\259465074.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259469021.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259459599.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259467212.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259466322.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259470722.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghiya.exe | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| File created | C:\Windows\SysWOW64\259463826.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259471595.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259472453.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259471595.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259462532.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259466322.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\259467227.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Ghiya.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe
"C:\Users\Admin\AppData\Local\Temp\ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259459599.txt",MainThread
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-116725316212548214214303005171344693569-7306807351551888229-15043944002095384914"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1233678843-12358472911183455941-1089575767-10829828292090969313-865768296-1514755288"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14290032001977581502-1167130930804857847-1050591789-1248000509-116033514-1833686141"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1766186252-696800364-1676755629-1249705406-514081952-532152929-12464247651841999967"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1982618916-947783764-1955515695-76155804261841444-2106981601-4560974141647170455"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13178876981222020126459319747-956798811129086667-152827203-953062529-801548278"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8272234856077450001983512225-7343296059895963127501397743538592721320281957"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "804706331-76711503-7321583542043650696262760624158948830-205056606-1488668928"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "748735228170827054720326827941856883076-2057069223-885280399519720479330627865"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "780664935-384067380827809909482442391-1689846239-78421738216522382531655820746"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17037979542077848407-936869970-1811611546598032582-1401609766-1309946540-780179976"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "108021899317343239648514497971354411905637010232-984408156-1655708227-525368417"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1886097581-12472284271020008082-140403311417360765875535539406103042571279664295"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1955299037165452467-1690173173-476350642-13260953191324798276405955531426731740"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1659244563-18128212579571551615507907504410491032015622404-18328614-1851935841"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-666353352134386414-20081609641967161830-215832770-1988750047-2059432456-957230767"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1461830918794787748-1209977668-14697864211601376231342429070-11177315611754420008"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13709372503621191626459319781494060988122161880-7391812111417134762-1283102823"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1754727948393026682785402551543881836-17836199162067578458-467746200-1446288344"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16266297472141176509-1525290386-3563756081512380758501694518410206861564496638"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-457187075-1387614192-3828762211888916009-1213627525-2057048312-1520912829-663351230"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3938374641874547437-1008655494-340366718542561459-2010938005529524826-1995853237"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1210485829247701224542329411-677759849952667351760143529-1734667124-1836252355"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1004497758-161965995621230622271342303749-553205564-137893131-666421451755729573"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "657779636-864500017-18688077422478343601741560513-455552608-708629093-1110966978"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1654391110548233287-873914387-16836165311826942366-1965908771-1941225219-630293550"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "607140687-1962488423-4827402784333051021560803547-876898778580874850702311055"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1141496118-1268800820-1735130147264464172849921545-14020019941155157709766635159"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1369232798-998058478-2528603691214777653-1744724506130606564948356684-262067166"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1691640331-1610013799-1562585078-1240883956933096843-14217243222070306360203599512"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1554112625-913891421828994506-123772943418264909221110384742-1954684477-1070627415"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1381119365649397136858634911-773704923774454172054153352-1796699776501665655"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19337711551343969782-1729993629-1229349834-1393025208-415739891736458329-335626122"
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| CN | 43.249.193.73:54997 | tcp | |
| CN | 43.249.193.73:54997 | tcp | |
| CN | 43.249.193.73:54997 | tcp | |
| CN | 43.249.193.73:54997 | tcp | |
| CN | 43.249.193.73:54997 | tcp | |
| CN | 43.249.193.73:54997 | tcp | |
| CN | 43.249.193.73:54997 | tcp | |
| CN | 43.249.193.73:54997 | tcp |
Files
memory/2020-0-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2020-1-0x0000000000400000-0x0000000000760000-memory.dmp
\Users\Admin\AppData\Local\Temp\AK47.exe
| MD5 | 423eb994ed553294f8a6813619b8da87 |
| SHA1 | eca6a16ccd13adcfc27bc1041ddef97ec8081255 |
| SHA256 | 050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218 |
| SHA512 | fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095 |
\Windows\SysWOW64\259459599.txt
| MD5 | 09e9211b58397b730f0d68f4fc7dd72f |
| SHA1 | 768697bf04b0f0e0965885911dc0d441831c29b7 |
| SHA256 | 5277b63bb8d13a83265b9e88c3c4f002d85dad1d7447569442b96dee0004a483 |
| SHA512 | 6585866521e3629b9859fbafe04f13f018f71893dc31041fe7490d1f62c756ec9bf8dddc1d2fae237178307ddd405b3470919a74cca2e85bdb4401950956a143 |
\Users\Admin\AppData\Local\Temp\AK74.exe
| MD5 | b0998aa7d5071d33daa5b60b9c3c9735 |
| SHA1 | 9365a1ff0c6de244d6f36c8d84072cc916665d3c |
| SHA256 | 3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a |
| SHA512 | 308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850 |
memory/2736-24-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/2736-23-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/2736-21-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/2548-50-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/2548-53-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/2548-57-0x0000000010000000-0x00000000101BA000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | fd362b3bf7400e141df5ed17f969e890 |
| SHA1 | b96785d1266c939fa8645adb11fdc5e677a89e9d |
| SHA256 | 736c6fc2ee9ffc369d4556e9fcd47e31fd45186ed814108dac4bc6e2c048f4f8 |
| SHA512 | 0bbcfe49902a5c12ab0c50701ae59f5bf3c8ebe6206251f8453089ef7b303b12a84407d6c60f79ed202cb4c09829b410491bf3a924d882169c2049ea7c785ae2 |
memory/2020-66-0x0000000002370000-0x0000000002380000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 9469186927e2ff2448b3be012f683cca |
| SHA1 | 53ccdfb2df03efb3f5325479c2701f1da4ba5643 |
| SHA256 | b7725f38f15ed0a0fd13806d87dfa9c2ab8477a2201bc8707c9e7794a0131c57 |
| SHA512 | 9bfbd9484823c578bd741c078b95cdc2df24f2d64641f431f6fbbea0da5a01979bd1239f5c58dc2f58889aabd51ec3438f3be71865d03c788574aeba2589fb0a |
memory/2020-63-0x0000000002370000-0x0000000002380000-memory.dmp
memory/1948-71-0x0000000000400000-0x0000000000760000-memory.dmp
C:\Windows\SysWOW64\ini.ini
| MD5 | 809f53c5859cc4d0a188855255ca3171 |
| SHA1 | b9030cbc816f5e0b11fad0a45580fb22a1b1ce59 |
| SHA256 | 7f56e7cbd255033124e124460f185d40c8c39f5b340e7529db640e2f1315ea79 |
| SHA512 | 5da1df4f3db1fc08efabe71835b332d556f97abf3a1d918c40df4be137b915d91d61aa8f9274609000f96a4bf98bb0233c1ed297e845488de113cb8df49cdb63 |
memory/1948-113-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2932-157-0x0000000000400000-0x0000000000760000-memory.dmp
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
memory/2020-169-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2344-210-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2020-215-0x0000000002370000-0x0000000002380000-memory.dmp
memory/2752-240-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2020-243-0x0000000002370000-0x0000000002380000-memory.dmp
memory/2556-272-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1696-277-0x0000000005C70000-0x0000000005FD0000-memory.dmp
memory/1072-308-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2936-311-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2936-339-0x0000000000400000-0x0000000000760000-memory.dmp
memory/980-343-0x0000000000400000-0x0000000000760000-memory.dmp
memory/980-368-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2708-399-0x0000000000400000-0x0000000000760000-memory.dmp
memory/3036-428-0x0000000000400000-0x0000000000760000-memory.dmp
C:\Windows\SysWOW64\ini.ini
| MD5 | 45a93f0ecc3fd6133115720510a73fef |
| SHA1 | 0452596780512194a68ad64bec0cec93d41c2ac1 |
| SHA256 | 5ed11a24ffbfe04b4fcb82533fd21e5044d9f796e6fc5f8db1fdda009e3ed2fb |
| SHA512 | a1ee9e3e97d9af9ab09b8cdd4a1957eef00e8f0acaf3ab9995ac3b5c224c7c3a1f20f107fcf85ae4ce21bf72eb739b2a2f5319b5c47b4e67eb0a629801717e20 |
memory/2896-459-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1436-464-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1436-489-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2656-509-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1744-539-0x0000000000400000-0x0000000000760000-memory.dmp
memory/896-540-0x0000000000400000-0x0000000000760000-memory.dmp
memory/896-565-0x0000000000400000-0x0000000000760000-memory.dmp
memory/940-586-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2648-611-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1388-616-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1388-641-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2708-667-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2556-668-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2556-693-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2220-718-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2408-740-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2596-771-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1800-796-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2000-817-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2932-843-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2240-871-0x0000000000400000-0x0000000000760000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
| MD5 | 29ce53e2a4a446614ccc8d64d346bde4 |
| SHA1 | 39a7aa5cc1124842aa0c25abb16ea94452125cbe |
| SHA256 | 56225be6838bc6e93ea215891eacf28844ae27a9f8b2b29bf19d3a8c2b1f58df |
| SHA512 | b2c5a2708c427171a5715801f8ea733ffe88d73aaaaf59c5c752ea32cbe7aae8526cc26eabe84ad5043174c0c69b1d6b15a9fb125c15accfac3462d5d08a0faa |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-19 20:16
Reported
2024-11-19 20:19
Platform
win10v2004-20241007-en
Max time kernel
24s
Max time network
152s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
PurpleFox
Purplefox family
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\QAssist.sys | C:\Windows\SysWOW64\Ghiya.exe | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240631531.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240624625.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240624609.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240630546.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240627171.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240628750.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240630562.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240629687.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240631640.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240636000.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240631546.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240627187.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240627203.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240628781.txt" | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" | C:\Windows\SysWOW64\Ghiya.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk | C:\Users\Admin\AppData\Local\Temp\ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" | C:\Users\Admin\AppData\Local\Temp\ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\240624609.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240635984.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240636000.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240635984.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240624625.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ghiya.exe | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| File created | C:\Windows\SysWOW64\240630546.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240627171.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240629687.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240631546.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240631531.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240633015.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240627203.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240631640.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\240627187.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240631640.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghiya.exe | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240636000.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240627171.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240630562.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240633015.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240628750.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| File created | C:\Windows\SysWOW64\240629687.txt | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AK47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Ghiya.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Ghiya.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AK74.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe
"C:\Users\Admin\AppData\Local\Temp\ac76621c34fd5005781152c8fad79002744262cc91ca9eafc0b37c46296ea544.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240624609.txt",MainThread
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2400 -ip 2400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2020 -ip 2020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 500
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4412 -ip 4412
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1948 -ip 1948
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 424
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1948 -ip 1948
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 500
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| CN | 43.249.193.73:54997 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| CN | 43.249.193.73:54997 | tcp | |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| CN | 43.249.193.73:54997 | tcp | |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| CN | 43.249.193.73:54997 | tcp | |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| CN | 43.249.193.73:54997 | tcp | |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| CN | 43.249.193.73:54997 | tcp | |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| CN | 43.249.193.73:54997 | tcp | |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | cf1549064127.f3322.net | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
memory/2724-0-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2724-1-0x0000000000400000-0x0000000000760000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AK47.exe
| MD5 | 423eb994ed553294f8a6813619b8da87 |
| SHA1 | eca6a16ccd13adcfc27bc1041ddef97ec8081255 |
| SHA256 | 050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218 |
| SHA512 | fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095 |
C:\Windows\SysWOW64\240624609.txt
| MD5 | 09e9211b58397b730f0d68f4fc7dd72f |
| SHA1 | 768697bf04b0f0e0965885911dc0d441831c29b7 |
| SHA256 | 5277b63bb8d13a83265b9e88c3c4f002d85dad1d7447569442b96dee0004a483 |
| SHA512 | 6585866521e3629b9859fbafe04f13f018f71893dc31041fe7490d1f62c756ec9bf8dddc1d2fae237178307ddd405b3470919a74cca2e85bdb4401950956a143 |
C:\Windows\SysWOW64\ini.ini
| MD5 | 809f53c5859cc4d0a188855255ca3171 |
| SHA1 | b9030cbc816f5e0b11fad0a45580fb22a1b1ce59 |
| SHA256 | 7f56e7cbd255033124e124460f185d40c8c39f5b340e7529db640e2f1315ea79 |
| SHA512 | 5da1df4f3db1fc08efabe71835b332d556f97abf3a1d918c40df4be137b915d91d61aa8f9274609000f96a4bf98bb0233c1ed297e845488de113cb8df49cdb63 |
C:\Users\Admin\AppData\Local\Temp\AK74.exe
| MD5 | b0998aa7d5071d33daa5b60b9c3c9735 |
| SHA1 | 9365a1ff0c6de244d6f36c8d84072cc916665d3c |
| SHA256 | 3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a |
| SHA512 | 308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850 |
memory/3532-35-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/3532-38-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/3532-37-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/2872-45-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/2872-46-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/2872-43-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/2960-52-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/2960-58-0x0000000010000000-0x00000000101BA000-memory.dmp
memory/2960-61-0x0000000010000000-0x00000000101BA000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | f7b4b310ee35b6fb6d6287d4f0e3d79c |
| SHA1 | 0adb23017f145162c706162228c641da77df7b46 |
| SHA256 | 730e1a9e8fd56edeebd6242e618ea8ba6ded99d176ea002172aaf621e48e7f43 |
| SHA512 | a530bbfcf8e345477e3db01ad976f34693f257eb7122b7c35f492f4d39c2988c4af33eff0b716704ab18dd1c0c6ef0f392716d87e9ddeb25807cec2bd3052ab4 |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | fcbb71ff276c2d60b5e54f9cdc430d6f |
| SHA1 | 9cee85ba67c6479683610e1da51759cc2b13074e |
| SHA256 | 5121a01e0ef1a69463a55cd3a2d5a9a5521931fb10eaf090338196a11ba6c79c |
| SHA512 | 624969f5772c25579397d3bb461adb587700e011a9c7caf2cf7708e7165305c5755699fa3168e81d2d3685ffc51a7793012d63325635f758287206a9256f99cb |
memory/4172-76-0x0000000000400000-0x0000000000760000-memory.dmp
memory/3256-127-0x0000000000400000-0x0000000000760000-memory.dmp
memory/4172-133-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2256-135-0x0000000000400000-0x0000000000760000-memory.dmp
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 889b99c52a60dd49227c5e485a016679 |
| SHA1 | 8fa889e456aa646a4d0a4349977430ce5fa5e2d7 |
| SHA256 | 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910 |
| SHA512 | 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641 |
memory/2256-174-0x0000000000400000-0x0000000000760000-memory.dmp
memory/4396-219-0x0000000000400000-0x0000000000760000-memory.dmp
C:\Windows\SysWOW64\ini.ini
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3988-260-0x0000000000400000-0x0000000000760000-memory.dmp
memory/3256-264-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2724-263-0x0000000000400000-0x0000000000760000-memory.dmp
memory/3256-320-0x0000000000400000-0x0000000000760000-memory.dmp
memory/4912-329-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2616-357-0x0000000000400000-0x0000000000760000-memory.dmp
memory/648-389-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1576-408-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1632-438-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2804-445-0x0000000000400000-0x0000000000760000-memory.dmp
memory/3420-467-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1284-472-0x0000000000400000-0x0000000000760000-memory.dmp
memory/5096-499-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2416-523-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2156-553-0x0000000000400000-0x0000000000760000-memory.dmp
memory/4572-555-0x0000000000400000-0x0000000000760000-memory.dmp
memory/4572-582-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1480-612-0x0000000000400000-0x0000000000760000-memory.dmp
memory/904-634-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1408-663-0x0000000000400000-0x0000000000760000-memory.dmp
memory/4892-664-0x0000000000400000-0x0000000000760000-memory.dmp
memory/4892-687-0x0000000000400000-0x0000000000760000-memory.dmp
memory/4240-719-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1040-746-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1228-773-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1208-776-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1208-801-0x0000000000400000-0x0000000000760000-memory.dmp
memory/1168-802-0x0000000000400000-0x0000000000760000-memory.dmp
memory/2304-829-0x0000000000400000-0x0000000000760000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
| MD5 | 29ce53e2a4a446614ccc8d64d346bde4 |
| SHA1 | 39a7aa5cc1124842aa0c25abb16ea94452125cbe |
| SHA256 | 56225be6838bc6e93ea215891eacf28844ae27a9f8b2b29bf19d3a8c2b1f58df |
| SHA512 | b2c5a2708c427171a5715801f8ea733ffe88d73aaaaf59c5c752ea32cbe7aae8526cc26eabe84ad5043174c0c69b1d6b15a9fb125c15accfac3462d5d08a0faa |