Analysis
-
max time kernel
65s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 02:44
Behavioral task
behavioral1
Sample
5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe
Resource
win7-20240903-en
General
-
Target
5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe
-
Size
1.2MB
-
MD5
69070a1314c6609eb499e8e30217250c
-
SHA1
4400dc7637584d988aef9305f0e206fcf88adfe9
-
SHA256
5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c
-
SHA512
a2122ca7cd4cb881da502d7f6071998c665839f5bda7cb8c8a4e6955af730141b536e9c5b68bf18f7cc96524c685f934f757de135e218ad549b535555fe23bfd
-
SSDEEP
24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJti2:WIwgMEuy+inDfp3/XoCw57XYBwK2
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/384-38-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/384-37-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/4664-46-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/4664-45-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/2280-62-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/2280-63-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/2280-64-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/2280-68-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/2280-70-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 10 IoCs
resource yara_rule behavioral2/files/0x000a000000023b7b-17.dat family_gh0strat behavioral2/memory/384-38-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/384-37-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/4664-46-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/4664-45-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/2280-62-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/2280-63-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/2280-64-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/2280-68-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/2280-70-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Ghiya.exe -
Server Software Component: Terminal Services DLL 1 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240607812.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240610593.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240612343.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240617078.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240617093.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240618187.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240609765.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240612359.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240614125.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240615046.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240616031.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240618203.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240619750.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240607796.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240611500.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240614140.txt" AK47.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Ghiya.exe -
Checks computer location settings 2 TTPs 48 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchcst.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe -
Executes dropped EXE 64 IoCs
pid Process 4656 AK47.exe 4692 AK47.exe 384 AK74.exe 4664 Ghiya.exe 2280 Ghiya.exe 3056 svchcst.exe 4764 AK47.exe 3632 AK47.exe 4044 AK74.exe 4324 Ghiya.exe 2976 Ghiya.exe 1220 svchcst.exe 3320 AK47.exe 4892 AK47.exe 4432 AK74.exe 732 Ghiya.exe 4832 Ghiya.exe 4856 svchcst.exe 3572 AK47.exe 2748 AK47.exe 872 AK74.exe 4420 Ghiya.exe 2080 Ghiya.exe 3664 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe 2632 svchcst.exe 4536 AK47.exe 3080 AK47.exe 3632 AK74.exe 3076 Ghiya.exe 1888 Ghiya.exe 700 svchcst.exe 3320 AK47.exe 756 AK47.exe 4436 AK74.exe 1884 Ghiya.exe 2544 Ghiya.exe 2040 svchcst.exe 4656 AK47.exe 4828 AK47.exe 4616 AK74.exe 4468 Ghiya.exe 1240 Ghiya.exe 2436 svchcst.exe 2116 AK47.exe 1320 AK47.exe 3268 AK74.exe 2556 Ghiya.exe 4324 Ghiya.exe 4776 svchcst.exe 1340 AK47.exe 2380 AK47.exe 2524 AK74.exe 3144 Ghiya.exe 3320 Ghiya.exe 2612 svchcst.exe 788 AK47.exe 3572 AK47.exe 4828 AK74.exe 384 Ghiya.exe 4616 Ghiya.exe 2616 svchcst.exe 4268 AK47.exe 4064 AK47.exe 1904 AK74.exe -
Loads dropped DLL 19 IoCs
pid Process 4656 AK47.exe 4692 AK47.exe 5104 svchost.exe 3632 AK47.exe 4764 AK47.exe 3320 AK47.exe 2748 AK47.exe 3664 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe 4536 AK47.exe 3080 AK47.exe 756 AK47.exe 3320 AK47.exe 4656 AK47.exe 2116 AK47.exe 1340 AK47.exe 2380 AK47.exe 788 AK47.exe 3572 AK47.exe 4064 AK47.exe -
resource yara_rule behavioral2/memory/4992-0-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/4992-1-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/files/0x000a000000023b81-56.dat vmprotect behavioral2/memory/3056-112-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/1220-145-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/4856-185-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/2632-236-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/700-276-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/2040-307-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/2436-309-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/4992-308-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/2436-340-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/4776-374-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/2612-411-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/2616-442-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/4284-465-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/2748-496-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/4472-523-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/2500-550-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/1568-577-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/3956-604-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/2992-632-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/3560-657-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/2140-686-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/4548-714-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/1308-741-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/4408-768-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/1264-795-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/1528-819-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/1624-850-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/1544-873-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/3620-904-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral2/memory/5092-931-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe -
Drops file in System32 directory 42 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File created C:\Windows\SysWOW64\240609781.txt AK47.exe File created C:\Windows\SysWOW64\240610593.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\240612359.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\240616031.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\240607796.txt AK47.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\240610593.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\240611500.txt AK47.exe File created C:\Windows\SysWOW64\240612343.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\240618203.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\240617093.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\240618187.txt AK47.exe File created C:\Windows\SysWOW64\240619750.txt AK47.exe File created C:\Windows\SysWOW64\240619750.txt AK47.exe File created C:\Windows\SysWOW64\240617078.txt AK47.exe File created C:\Windows\SysWOW64\240607812.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\Ghiya.exe AK74.exe File created C:\Windows\SysWOW64\240609765.txt AK47.exe File created C:\Windows\SysWOW64\240614125.txt AK47.exe File created C:\Windows\SysWOW64\240615046.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\240614140.txt AK47.exe File created C:\Windows\SysWOW64\240615046.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File opened for modification C:\Windows\SysWOW64\Ghiya.exe AK74.exe File created C:\Windows\SysWOW64\240611500.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\240616031.txt AK47.exe -
resource yara_rule behavioral2/memory/384-35-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/384-38-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/384-37-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/4664-46-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/4664-45-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/4664-43-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/2280-62-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/2280-63-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/2280-60-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/2280-64-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/2280-68-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/2280-70-0x0000000010000000-0x00000000101BA000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2996 4764 WerFault.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3304 cmd.exe 4912 cmd.exe 348 PING.EXE 4864 PING.EXE 4648 cmd.exe 1940 PING.EXE 4380 PING.EXE 2684 PING.EXE 3436 cmd.exe 4480 cmd.exe 2684 PING.EXE 4108 cmd.exe 1376 PING.EXE 3612 cmd.exe 5044 PING.EXE 700 PING.EXE 4592 PING.EXE 2040 PING.EXE 4256 PING.EXE 932 PING.EXE 2940 cmd.exe 4548 cmd.exe 1656 cmd.exe 5080 PING.EXE 4296 PING.EXE 2232 cmd.exe 2232 PING.EXE 4428 cmd.exe 4064 cmd.exe 2832 PING.EXE 2488 PING.EXE 4144 cmd.exe 4432 cmd.exe 3456 PING.EXE 928 PING.EXE 3340 PING.EXE 3268 PING.EXE 4908 PING.EXE 2540 PING.EXE 2468 cmd.exe 728 cmd.exe 3340 PING.EXE 4856 cmd.exe 2992 cmd.exe 4424 PING.EXE 2132 cmd.exe 4436 PING.EXE 1644 cmd.exe 4640 cmd.exe 2856 PING.EXE 1444 cmd.exe 2688 PING.EXE 560 cmd.exe 2904 cmd.exe 3556 cmd.exe 932 cmd.exe 232 cmd.exe 3680 cmd.exe 1940 cmd.exe 3100 PING.EXE 4476 PING.EXE 3256 PING.EXE 1380 PING.EXE 4848 cmd.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Runs ping.exe 1 TTPs 64 IoCs
pid Process 4000 PING.EXE 1868 PING.EXE 4660 PING.EXE 700 PING.EXE 1328 PING.EXE 2080 PING.EXE 1264 PING.EXE 3100 PING.EXE 3256 PING.EXE 5044 PING.EXE 3340 PING.EXE 5056 PING.EXE 2684 PING.EXE 4776 PING.EXE 2100 PING.EXE 928 PING.EXE 2180 PING.EXE 1436 PING.EXE 2964 PING.EXE 4908 PING.EXE 1904 PING.EXE 2144 PING.EXE 1940 PING.EXE 4592 PING.EXE 2076 PING.EXE 932 PING.EXE 2412 PING.EXE 1804 PING.EXE 4380 PING.EXE 2696 PING.EXE 2688 PING.EXE 2040 PING.EXE 3960 PING.EXE 2832 PING.EXE 3340 PING.EXE 1884 PING.EXE 2856 PING.EXE 4296 PING.EXE 4388 PING.EXE 3768 PING.EXE 1400 PING.EXE 792 PING.EXE 716 PING.EXE 1380 PING.EXE 4256 PING.EXE 3092 PING.EXE 1680 PING.EXE 4104 PING.EXE 544 PING.EXE 2540 PING.EXE 3020 PING.EXE 1940 PING.EXE 1940 PING.EXE 3536 PING.EXE 788 PING.EXE 4680 PING.EXE 4044 PING.EXE 3248 PING.EXE 4476 PING.EXE 348 PING.EXE 4848 PING.EXE 3268 PING.EXE 2684 PING.EXE 1568 PING.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4992 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe 4992 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe 4992 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe 4992 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe 4992 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe 4992 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2280 Ghiya.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4992 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 384 AK74.exe Token: SeLoadDriverPrivilege 2280 Ghiya.exe Token: SeIncBasePriorityPrivilege 4044 AK74.exe Token: SeIncBasePriorityPrivilege 4432 AK74.exe Token: SeIncBasePriorityPrivilege 872 AK74.exe Token: SeIncBasePriorityPrivilege 3632 AK74.exe Token: SeIncBasePriorityPrivilege 4436 AK74.exe Token: SeIncBasePriorityPrivilege 4616 AK74.exe Token: SeIncBasePriorityPrivilege 3268 AK74.exe Token: SeIncBasePriorityPrivilege 2524 AK74.exe Token: SeIncBasePriorityPrivilege 4828 AK74.exe Token: SeIncBasePriorityPrivilege 1904 AK74.exe Token: SeIncBasePriorityPrivilege 4548 AK74.exe Token: SeIncBasePriorityPrivilege 3540 AK74.exe Token: SeIncBasePriorityPrivilege 1904 AK74.exe Token: SeIncBasePriorityPrivilege 1388 AK74.exe Token: SeIncBasePriorityPrivilege 2964 AK74.exe Token: SeIncBasePriorityPrivilege 4064 AK74.exe Token: SeIncBasePriorityPrivilege 3304 AK74.exe Token: SeIncBasePriorityPrivilege 4828 AK74.exe Token: SeIncBasePriorityPrivilege 4980 AK74.exe Token: SeIncBasePriorityPrivilege 4948 AK74.exe Token: SeIncBasePriorityPrivilege 2488 AK74.exe Token: SeIncBasePriorityPrivilege 3020 AK74.exe Token: SeIncBasePriorityPrivilege 1612 AK74.exe Token: SeIncBasePriorityPrivilege 3924 AK74.exe Token: SeIncBasePriorityPrivilege 4912 AK74.exe Token: SeIncBasePriorityPrivilege 3728 AK74.exe Token: SeIncBasePriorityPrivilege 4848 AK74.exe Token: SeIncBasePriorityPrivilege 4776 AK74.exe Token: SeIncBasePriorityPrivilege 4688 AK74.exe Token: SeIncBasePriorityPrivilege 2076 AK74.exe Token: SeIncBasePriorityPrivilege 1272 AK74.exe Token: SeIncBasePriorityPrivilege 872 AK74.exe Token: SeIncBasePriorityPrivilege 3708 AK74.exe Token: SeIncBasePriorityPrivilege 684 AK74.exe Token: SeIncBasePriorityPrivilege 1888 AK74.exe Token: SeIncBasePriorityPrivilege 3680 AK74.exe Token: SeIncBasePriorityPrivilege 2756 AK74.exe Token: SeIncBasePriorityPrivilege 2632 AK74.exe Token: SeIncBasePriorityPrivilege 2976 AK74.exe Token: SeIncBasePriorityPrivilege 1868 AK74.exe Token: SeIncBasePriorityPrivilege 2756 AK74.exe Token: SeIncBasePriorityPrivilege 4012 AK74.exe Token: SeIncBasePriorityPrivilege 1824 AK74.exe Token: SeIncBasePriorityPrivilege 4540 AK74.exe Token: 33 2280 Ghiya.exe Token: SeIncBasePriorityPrivilege 2280 Ghiya.exe Token: SeIncBasePriorityPrivilege 1200 AK74.exe Token: SeIncBasePriorityPrivilege 4424 AK74.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4992 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe 4992 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe 3056 svchcst.exe 3056 svchcst.exe 1220 svchcst.exe 1220 svchcst.exe 4856 svchcst.exe 4856 svchcst.exe 2632 svchcst.exe 2632 svchcst.exe 700 svchcst.exe 700 svchcst.exe 2040 svchcst.exe 2040 svchcst.exe 2436 svchcst.exe 2436 svchcst.exe 4776 svchcst.exe 4776 svchcst.exe 2612 svchcst.exe 2612 svchcst.exe 2616 svchcst.exe 2616 svchcst.exe 4284 svchcst.exe 4284 svchcst.exe 2748 svchcst.exe 2748 svchcst.exe 4472 svchcst.exe 4472 svchcst.exe 2500 svchcst.exe 2500 svchcst.exe 1568 svchcst.exe 1568 svchcst.exe 3956 svchcst.exe 3956 svchcst.exe 2992 svchcst.exe 2992 svchcst.exe 3560 svchcst.exe 3560 svchcst.exe 2140 svchcst.exe 2140 svchcst.exe 4548 svchcst.exe 4548 svchcst.exe 1308 svchcst.exe 1308 svchcst.exe 4408 svchcst.exe 4408 svchcst.exe 1264 svchcst.exe 1264 svchcst.exe 1528 svchcst.exe 1528 svchcst.exe 1624 svchcst.exe 1624 svchcst.exe 1544 svchcst.exe 1544 svchcst.exe 3620 svchcst.exe 3620 svchcst.exe 5092 svchcst.exe 5092 svchcst.exe 4388 svchcst.exe 4388 svchcst.exe 1644 svchcst.exe 1644 svchcst.exe 3384 svchcst.exe 3384 svchcst.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4992 wrote to memory of 4656 4992 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe 85 PID 4992 wrote to memory of 4656 4992 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe 85 PID 4992 wrote to memory of 4656 4992 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe 85 PID 4992 wrote to memory of 4692 4992 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe 86 PID 4992 wrote to memory of 4692 4992 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe 86 PID 4992 wrote to memory of 4692 4992 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe 86 PID 4992 wrote to memory of 384 4992 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe 88 PID 4992 wrote to memory of 384 4992 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe 88 PID 4992 wrote to memory of 384 4992 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe 88 PID 384 wrote to memory of 3104 384 AK74.exe 90 PID 384 wrote to memory of 3104 384 AK74.exe 90 PID 384 wrote to memory of 3104 384 AK74.exe 90 PID 4664 wrote to memory of 2280 4664 Ghiya.exe 91 PID 4664 wrote to memory of 2280 4664 Ghiya.exe 91 PID 4664 wrote to memory of 2280 4664 Ghiya.exe 91 PID 4992 wrote to memory of 4824 4992 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe 93 PID 4992 wrote to memory of 4824 4992 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe 93 PID 4992 wrote to memory of 4824 4992 5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe 93 PID 4824 wrote to memory of 3056 4824 WScript.exe 95 PID 4824 wrote to memory of 3056 4824 WScript.exe 95 PID 4824 wrote to memory of 3056 4824 WScript.exe 95 PID 3104 wrote to memory of 700 3104 cmd.exe 136 PID 3104 wrote to memory of 700 3104 cmd.exe 136 PID 3104 wrote to memory of 700 3104 cmd.exe 136 PID 3056 wrote to memory of 4764 3056 svchcst.exe 97 PID 3056 wrote to memory of 4764 3056 svchcst.exe 97 PID 3056 wrote to memory of 4764 3056 svchcst.exe 97 PID 3056 wrote to memory of 3632 3056 svchcst.exe 130 PID 3056 wrote to memory of 3632 3056 svchcst.exe 130 PID 3056 wrote to memory of 3632 3056 svchcst.exe 130 PID 3056 wrote to memory of 4044 3056 svchcst.exe 99 PID 3056 wrote to memory of 4044 3056 svchcst.exe 99 PID 3056 wrote to memory of 4044 3056 svchcst.exe 99 PID 4044 wrote to memory of 3448 4044 AK74.exe 103 PID 4044 wrote to memory of 3448 4044 AK74.exe 103 PID 4044 wrote to memory of 3448 4044 AK74.exe 103 PID 4324 wrote to memory of 2976 4324 Ghiya.exe 104 PID 4324 wrote to memory of 2976 4324 Ghiya.exe 104 PID 4324 wrote to memory of 2976 4324 Ghiya.exe 104 PID 4824 wrote to memory of 1220 4824 WScript.exe 107 PID 4824 wrote to memory of 1220 4824 WScript.exe 107 PID 4824 wrote to memory of 1220 4824 WScript.exe 107 PID 3448 wrote to memory of 4592 3448 cmd.exe 108 PID 3448 wrote to memory of 4592 3448 cmd.exe 108 PID 3448 wrote to memory of 4592 3448 cmd.exe 108 PID 1220 wrote to memory of 3320 1220 svchcst.exe 174 PID 1220 wrote to memory of 3320 1220 svchcst.exe 174 PID 1220 wrote to memory of 3320 1220 svchcst.exe 174 PID 1220 wrote to memory of 4892 1220 svchcst.exe 110 PID 1220 wrote to memory of 4892 1220 svchcst.exe 110 PID 1220 wrote to memory of 4892 1220 svchcst.exe 110 PID 1220 wrote to memory of 4432 1220 svchcst.exe 111 PID 1220 wrote to memory of 4432 1220 svchcst.exe 111 PID 1220 wrote to memory of 4432 1220 svchcst.exe 111 PID 4432 wrote to memory of 2992 4432 AK74.exe 113 PID 4432 wrote to memory of 2992 4432 AK74.exe 113 PID 4432 wrote to memory of 2992 4432 AK74.exe 113 PID 732 wrote to memory of 4832 732 Ghiya.exe 114 PID 732 wrote to memory of 4832 732 Ghiya.exe 114 PID 732 wrote to memory of 4832 732 Ghiya.exe 114 PID 4824 wrote to memory of 4856 4824 WScript.exe 116 PID 4824 wrote to memory of 4856 4824 WScript.exe 116 PID 4824 wrote to memory of 4856 4824 WScript.exe 116 PID 2992 wrote to memory of 4908 2992 cmd.exe 225
Processes
-
C:\Users\Admin\AppData\Local\Temp\5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe"C:\Users\Admin\AppData\Local\Temp\5000681eef7005d67777195b4adabfd2ee49163300a987140f921f820d18ea8c.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4656
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4692
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:700
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4764 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 4325⤵
- Program crash
PID:2996
-
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3632
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4592
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3320
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4892
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4908
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3572
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2748
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:520 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:3460
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4536
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3080
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:3052
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:792
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:700 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3320
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:756
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:696 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:5056
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4828
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4656
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:3736
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2684
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2116
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1320
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2364
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1328
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1340
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2380
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2040
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:788
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3572
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:232 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:4476
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4268
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4064
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2940 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:3536
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4872
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1388
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:3384
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:3960
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4480
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:4540
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3680 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2080
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4976
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2920
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:3048
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2684
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4288
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:2524
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4548 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:4000
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4828
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:4016
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1188
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:220
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1376
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:3212
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:4072
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2616
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4012
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:3980
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4144 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:3092
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3560 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2232
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1068
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1200
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1568
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:3212
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:696
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:5100
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
PID:716
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1432
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4432 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3456
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4104
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4912 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2232
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:3436
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2964
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:468 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:1904
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:4780
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1884
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:748
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2236
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
PID:1380
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1036
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:4428
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:3080 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:4776
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2312
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:700
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3436 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:788
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2996
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:468
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
PID:1264
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3620 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1888
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1380
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4428 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3100
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2940
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2056
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:4016
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
PID:1868
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1376
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:3892
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4064 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4476
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1200
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2544
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:560 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:348
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3384 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3564
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:4892
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:3056
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1528
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4776
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:4864
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2316
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4016
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2920
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:388
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:3320
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:748
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4424
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:732
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2116
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:4044 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
PID:5012
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4260
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2524
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4640 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2164
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4144
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2232
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:4904
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1904
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1624
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:788
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4108 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:3728
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:684
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1680
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:3564
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
PID:3620 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2988
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:2940
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1528
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:2164
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:4680
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
PID:4104 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:212
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:4380
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:3016
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:2996
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
PID:1280
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:3044
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2920
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:3340
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2356
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:3980
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:5028
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:3284
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2832
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
PID:3960 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1388
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1820
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4480 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2144
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2080
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:4912
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2724
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:3020
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1376
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
PID:3536 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4980
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2064
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1316
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1680
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Checks computer location settings
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:220
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:888
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:3336
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1884
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:772
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4640
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:3080
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:3952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2132 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5080
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:4936
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2148
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1360
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:4668
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2144
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:2920
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:4552
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4932
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:4980
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2900
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:4000
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4240
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2412
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:3980
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4344
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2060
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2468 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:3012
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2616
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4776
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:4640
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:3992
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2856
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:232
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:3144
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:4380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2536
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4912
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2488
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2440
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1612
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:4920
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2252
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4648 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2076
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:636
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:3768
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:560
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2180
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:220
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:3980
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1380
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:4848
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:4652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2904 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:3336
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:544
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:460
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1624
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:4660
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:4908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:3880
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3256
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:5116
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:3836
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:412
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:728 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2100
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1560
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:928
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2440
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2508
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:4816
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1732
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1892
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:3268
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1768
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2108
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:4296
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1380
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4012
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:3384
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:4248
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3612 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2540
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1280
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1520
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:400
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1444 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5044
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4920
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1060
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:4836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1400
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:3020
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:3340
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2376
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1540
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4044
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:3768
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:4260
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:3692
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:348
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:3996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1656 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4296
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2824
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:4804
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1812
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:692
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:4104
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4672
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:992
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1940 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:3044
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:3880
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2996
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2480
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:4552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2536
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:928
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2124
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2112
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2500
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:4960
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:5028
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1804
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:3100
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1272
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4848 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:932
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:3952
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:3672
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:3320
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4864
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4616
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1388
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:4744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:4092
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4144
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1940
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:236
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:4016
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2252
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2232 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3340
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4900
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1560
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1680
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2220
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2180
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:3284
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4776
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:4432
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:4028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3304 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:4848
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2272
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:3384
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:5036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:232
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4380
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:460
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:4624
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:5080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1304
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4480
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1940
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:3956
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1328
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:888
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3340
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4424
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:3768
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:4648
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2124
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4436
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:348
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:3032
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:4544
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:932 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:3284
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2696
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:4296
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1828
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:3108
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:4032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1528
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:4660
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:3360
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:3892
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4856 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1940
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:388
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:3836
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:212
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1396
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:4388
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4404
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1680
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2356
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:5100
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:4044
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4260
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:824
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:3268
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:932
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4104
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:4032
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:4012
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1812
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:4660
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4132
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:3620
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:4000
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2104
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:3248
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1152
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1200
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:4476
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:3768
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:3536
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:4344
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:3596
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3556 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1436
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4372
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2724
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:3540
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3268
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1820
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:400
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1292
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:5008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:4296
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4256
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:4672
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2540
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1868
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:4444
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:3044
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2964
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2752
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2488
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:3020
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:4480
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1644 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1400
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:4900
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1220
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2992
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:4676
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2556
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:3456
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:4804
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2616
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2720
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:5008
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:4400
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:3332
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2264
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2688
-
-
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5104 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240607796.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3664
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:2976
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4764 -ip 47641⤵PID:792
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:4832
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:2080
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:1888
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:2544
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:1240
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:4324
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:3320
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:4616
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:4908
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1892
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3708
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1868
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:4400
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2356
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:232
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:4908
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2032
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1292
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3736
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1200
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1612
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2920
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1456
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1036
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2452
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2964
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:4180
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1644
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1908
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3104
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:4012
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- System Location Discovery: System Language Discovery
PID:1340 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:4144
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3892
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:332
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1424
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:780
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:4104
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3320
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3880
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1864
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1200
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1812
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1036
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- System Location Discovery: System Language Discovery
PID:3992 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:4540
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3340
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3348
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2180
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2524
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1320
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:5092
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2144
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3956
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:4476
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2268
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:4012
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:4428
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2132
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- System Location Discovery: System Language Discovery
PID:4744 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3892
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3640
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1200
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2412
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3964
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3456
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3056
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- System Location Discovery: System Language Discovery
PID:4936 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3892
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2064
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:4928
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3288
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3056
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:4400
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:4660
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:4468
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:4388
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:4240
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3288
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3564
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3108
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2856
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1904
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:212
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2356
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:4948
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2140
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1532
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3540
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:4412
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:4668
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1776
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1200
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:388
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1220
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2832
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2720
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1884
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:400
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:4668
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3644
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1612
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1416
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2372
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1276
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1656
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1240
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:692
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:772
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:5080
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2964
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1200
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:4688
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1560
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2632
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:5016
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2272
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2748
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:4856
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:5080
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2100
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2752
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:4424
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:4816
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:4372
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:5016
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3108
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:232
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3360
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:4780
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:212
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:5040
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2920
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3652
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1892
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:4644
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1820
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:4668
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:772
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1552
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:4912
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3548
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1264
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2440
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2072
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:5000
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:4484
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1812
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1996
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:772
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:4632
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:680
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1264
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1224
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2632
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:4284
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3104
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:756
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:4780
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:232
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3548
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3940
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1220
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:4828
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2632
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:348
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3028
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1280
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1528
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:788
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3956
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1416
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2032
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:4884
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:4156
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1240
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:4032
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1076
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD5423eb994ed553294f8a6813619b8da87
SHA1eca6a16ccd13adcfc27bc1041ddef97ec8081255
SHA256050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218
SHA512fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095
-
Filesize
400KB
MD5b0998aa7d5071d33daa5b60b9c3c9735
SHA19365a1ff0c6de244d6f36c8d84072cc916665d3c
SHA2563080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a
SHA512308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850
-
Filesize
92B
MD529ce53e2a4a446614ccc8d64d346bde4
SHA139a7aa5cc1124842aa0c25abb16ea94452125cbe
SHA25656225be6838bc6e93ea215891eacf28844ae27a9f8b2b29bf19d3a8c2b1f58df
SHA512b2c5a2708c427171a5715801f8ea733ffe88d73aaaaf59c5c752ea32cbe7aae8526cc26eabe84ad5043174c0c69b1d6b15a9fb125c15accfac3462d5d08a0faa
-
Filesize
753B
MD5bae903523ce3c3c3867164786e64bc29
SHA13a1c88746d18d2a99cd333ee48ffcba736e028e2
SHA25617a70df6c403f70ec0614e55ac17852b8e329cac2628ef35913198ef1888058a
SHA512c949a2fab8538da2901e8dc44dabe79b31ec829389523dff0cba402d0cc0118cccb82831cfdf64b61707b57954e441230ab55ecfee30c9f05d8a20e52df07c18
-
Filesize
1.2MB
MD502f1934f197655f2a5f63fd31c905557
SHA12ac38d22e0df31c439ff988f7d7e47c73e649435
SHA2569c50588415094f16cbd67c42275adb483a03bbe29c366db2a2f78e9082c394e0
SHA51203cdbfe4934e8be047b53bd829c092400ed963efaef8f2868a4a71d0fe0ad28a1ff64e2826613b0cfc07faa28481b87c8e0080c1cc5f9a985290eef5e027d394
-
Filesize
49KB
MD58eee2cfcd52178886e5028f61ec95940
SHA141031a7beda44fc58f96754d15e79daa024750da
SHA256a8b441883a615e494dc2ceee2eb4e0483b93f34d2dd0210728eb8dc3d6128bf8
SHA512f3bb9c2bb7315698f573f2ab2b3ba42e0bed2e73142f653a1cbac01b54adc04994286645669f4aa804707ffa3e20b293fdde57a6b55be3ec7b1590800a6d8e0f
-
Filesize
45B
MD5b6eb0bc2fe0b9a65b40b11533b31c26a
SHA1eb199dcaf4bd1767bd5cd16dce82691c83488f1d
SHA2565e12f4b10149a804ee1769aa9609c1b35915691eb86214ceb8339a00d4fd3486
SHA512abe8563099dbb5cefbc0aa0b0cdeb2e366f276031f7aab7a268e8face57469a174bb0b74eb0dd51b32256f6c3f8333b287c5016b0123049ad7b6bb3538507adf
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641